HHS Settles Cybersecurity Investigation With Montefiore Medical Center

Dive Brief:

• New York City-based Montefiore Medical Center will pay $4.75 million to settle allegations that data security failures allowed an employee to steal and sell the protected health information of thousands of patients over six months, the HHS’ Office for Civil Rights announced Tuesday.
• Montefiore conducted an investigation after being alerted by law enforcement in 2015, and reported that an employee had taken data from more than 12,500 patients two years earlier and sold it to an identity theft ring, the HHS said in a press release. 
• The OCR said Montefiore had “multiple potential violations” of the HIPAA Security Rule, and that the nonprofit was unable to immediately detect or prevent the attack because it was missing key safeguards.

Dive Insight:

The settlement comes as regulators have been sounding the alarm about cybersecurity in the healthcare sector. More than 134 million people were affected by large breaches reported to the OCR last year, compared with just 55 million in 2022, according to the agency. 

The HHS released a concept paper late last year that outlined its strategy to support cybersecurity in the industry. The paper included proposals to enforce cyber standards at hospitals through Medicare and Medicaid. 

But the agency has also promoted voluntary goals, which it said could help healthcare organizations prevent attacks, improve their response and minimize remaining risk. It’s also settled cases with other providers, including claims related to ransomware and phishing attacks. 

In the OCR’s latest investigation, the agency determined Montefiore had failed to identify potential risks and vulnerabilities, monitor and safeguard its IT systems, and implement policies to oversee systems that contained protected health information.

In addition to the monetary settlement, Montefiore will have to put in place a corrective action plan and be monitored by the OCR for two years, the agency said.

“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” OCR Director Melanie Fontes Rainer said in a statement.

Montefiore has taken steps to improve its security, including by increasing training for staff and expanding monitoring capabilities for systems that contain patient information, a spokesperson told Healthcare Dive. The employee who stole patient data was also terminated and prosecuted.