The New York City-based health system was fined $4.75 million after a federal investigation found that a former employee and stolen patient data from the EHR.
Montefiore Medical Center has agreed to pay a $4.75 million fine for failing to secure patient data.
The New York City-based, 10-hospital health system was charged by the Health and Human Services Department’s Office of Civil Rights (OCR) with several violations of the Health Insurance Portability and Accountability (HIPAA) Act Security Rule.
According to the HHS, Montefiore received a tip in 2015 from federal officials about a data breach. An investigation by health system officials found that since 2013 a former employee had been accessing the data of more than 12,000 patients through the health system’s electronic medical record system. The data included names, addresses, social security numbers, and confidential medical records.
Montefiore filed a breach report with HHS, prompting the federal investigation.
Investigators found that the health system failed to “analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information.”
By failing to properly monitor its EHR, the investigation reported, Montefiore was unable to stop the cyberattack or even detect it until years later.
Since the investigation and arrest of the former employee, who was charged with three felonies, Montefiore officials say they have taken steps to improve security and protect patient data. This includes expanding monitoring capabilities around patient information and implementing additional technical safeguards to protect all electronic records.
A Montefiore spokesperson told HealthLeaders in an e-mail that they have also increased training and outreach to staff to reinforce privacy and security standards, reminding staff that patient privacy is a basic right.
“With healthcare systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients' privacy,” the spokesperson said.
Cybersecurity attacks on healthcare systems are becoming more common. According to HHS, from 2018-2022 there was a 93% increase in large data breaches reported to OCR, and a 287% increase in large breaches using ransomware. In 2023 alone two new records were set: the most reported data breaches (725) and the most breached records (133 million).
“Unfortunately, we are living in a time where cyberattacks from malicious insiders are not uncommon,” OCR Director Melanie Fontes Rainer said in the HHS press release on the Montefiore investigation. “Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently.”
“This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls,” she added. “Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care systems follow the law to protect patient records.”
In March 2023 the Biden Administration released a National Cybersecurity Strategy, and HHS followed this with a healthcare-specific plan indicating that the agency would play a more active role in helping health systems become more secure.
The plan highlights four main guidelines that HHS will follow to help ensure the security of health systems. The agency plans to:
- Establish voluntary cybersecurity performance goals for the healthcare sector;
- Provide resources to incentivize and implement these cybersecurity practices;
- Implement an HHS-wide strategy to support greater enforcement and accountability; and
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.
Marie DeFreitas is the finance editor for HealthLeaders.
KEY TAKEAWAYS
Montefiore Medical Center will pay $4.75 million in a settlement with the Health and Human Services Department’s Office of Civil Rights for a data breach
According to the investigation, a former employee had illegally accessed the data of more than 12,000 patients between 2013 and 2015.
With data breaches on the rise, HHS plans to play a more active role in helping health systems follow best cybersecurity practices