Montefiore settles with OCR for $4.75M over stolen ePHI

Update: Comments from Montefiore Medical Center have been added to the story on February 7, 2024.

The U.S. Department of Health and Human Services Office for Civil Rights announced Monday that its settlement and corrective action with Montefiore Medical Center, a nonprofit hospital system based in New York City, resolves multiple potential failures of the Health Insurance Portability and Accountability Act. 

WHY IT MATTERS

After the New York Police Department informed Montefiore Medical Center that a specific patient’s medical information had been stolen in May 2015, the healthcare organization conducted an investigation and then reported that a staff member had stolen the electronic protected health information of 12,517 patients and sold it.

The employee stole and sold ePHI over six months, and OCR said in a statement that the $4.75 million monetary settlement was related to data security failures by Montefiore. 

While cyberattacks from malicious insiders are “not uncommon,” ePHI risks must be addressed, according to OCR Director Melanie Fontes Rainer. 

“This investigation and settlement with Montefiore are an example of how the healthcare sector can be severely targeted by cybercriminals and thieves – even within their own walls,” Fontes Rainer said in a statement.

“Cyberattacks do not discriminate based on organization size or stature, and it’s incumbent that our healthcare system follows the law to protect patient records.” 

OCR said it will monitor Montefiore Medical Center’s cybersecurity corrective action plan for two years to ensure HIPAA compliance and stressed the need for healthcare providers, health plans, clearinghouses and HIPAA-covered business associates to neutralize cyber threats with industry best practices.

The agency noted eight regional offices conduct cybersecurity training and also recommended HIPAA-covered entities refer to the following resources:

Montefiore reached out to Healthcare IT News Wednesday and noted that health organizations had the highest number of cyberattacks last year compared to any other critical infrastructure industry in New York.
 
And while the matter “dates back many years” and was self-reported by Montefiore, the provider said it’s taken several actions to “improve the security of our systems and to reinforce the protection of patient information,” including increased privacy and security training outreach to the staff.
 
“With healthcare systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients’ privacy,” a spokesperson from the company said by email.

THE LARGER TREND

HHS worked with the Cybersecurity and Infrastructure Security Agency on a Cybersecurity Toolkit for Healthcare and Public Health in October, released a cybersecurity strategy for the healthcare sector in December and more recently, announced voluntary performance goals to enhance cybersecurity across the health sector.

Essential goals set “a floor of safeguards” to better protect healthcare organizations from cyberattacks, improve incident response and minimize risk, the agency said as it released the voluntary goals. It also would “work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.”

Insider threats can come from staff working on-site, as well as former employees’ access credentials, and it’s helpful for health systems to rethink their cybersecurity culture, according to healthcare cybersecurity experts.

Ahead of the 2023 HIMSS Cybersecurity Forum, Dr. Eric Liederman, Kaiser Permanente’s director of medical informatics, said it’s also key to establishing trust with patients that healthcare organizations take their personal safety and personal data safety seriously.

ON THE RECORD

“Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” HHS Deputy Secretary Andrea Palm said in the announcement. “HHS will continue to remind healthcare systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.” 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Stroller safety: Tips for parents thumbnail

Stroller safety: Tips for parents

Stroller safety: Tips for parentsStroller safety starts with choosing the right stroller for your baby. Know what to consider when looking for a stroller and how to keep your baby safe on the go.By Mayo Clinic Staff If you're like most parents, you'll likely get at least one stroller for your baby. With so many…
Read More
Adult health thumbnail

Adult health

Get the latest health advice from Mayo Clinic delivered to your inbox. Sign up for free, and stay up-to-date on research advancements, health tips and current health topics, like COVID-19, plus expert advice on managing your health. To provide you with the most relevant and helpful information and to understand which information is beneficial, we…
Read More
Australia makes temporary changes to telehealth amid Omicron outbreak thumbnail

Australia makes temporary changes to telehealth amid Omicron outbreak

The Australian government is briefly subsidising some telehealth services as it deals with a new COVID-19 outbreak.  These include specialist inpatient video and phone consultation items under the Medicare Benefits Schedule, complex specialist telephone consultations and level C or longer telephone consultations for general practitioners.  Offered until 30 June, these telehealth items have been made…
Read More
윤석열 44.7% 이재명 35.6% 안철수 9.8%…尹 5.5%↑ 李 1.3%↓ 安 2.4↓ [리얼미터] thumbnail

윤석열 44.7% 이재명 35.6% 안철수 9.8%…尹 5.5%↑ 李 1.3%↓ 安 2.4↓ [리얼미터]

'당선가능성' 윤석열 48.4% vs 이재명 42.4% 윤석열(왼쪽) 국민의힘, 이재명 더불어민주당 대통령선거 후보. 국회 사진기자단 차기 대선후보 지지도 여론조사에서 윤석열 국민의힘 후보가 이재명 더불어민주당 후보를 오차범위 밖에서 앞섰다는 결과가 26일 나왔다. 리얼미터가 YTN 의뢰로 지난 24~25일 전국 만 18세 이상 남녀 1018명을 대상으로 차기 대선후보 다자 대결을 실시한 결과 윤석열 후보 44.7%, 이재명 후보 35.6%로 나타났다. 두 후보…
Read More
Index Of News
Total
0
Share