Insider Cybersecurity Breach Costs Hospital $4.75 Million

The U.S. Department of Health and Human Services (HHS) recently settled a cybersecurity case with Montefiore Medical Center, a hospital in New York City, for a staggering $4.75 million. This settlement stems from multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which mandates protections for patients’ health information.

Here’s a breakdown of what happened: an employee at Montefiore Medical Center stole and sold patients’ protected health information over a six-month period. This incident triggered an investigation by HHS’ Office for Civil Rights (OCR), responsible for enforcing health information privacy laws.

Melanie Fontes Rainer, Director of OCR, emphasized the growing threat of cyber-attacks, even from insiders within organizations. This settlement highlights the importance of swiftly addressing risks to patient data security.

Andrea Palm, HHS Deputy Secretary, underscored the crucial role of trust in healthcare, emphasizing the need for robust policies and procedures to safeguard patient records.

The breach was discovered in 2015 when the New York Police Department notified Montefiore Medical Center of potential theft of patient information. Subsequent internal investigations revealed the extent of the breach: over 12,000 patients affected by the theft.

OCR’s investigation uncovered several lapses in Montefiore Medical Center’s adherence to HIPAA Security Rule. These included failures to analyze risks, monitor system activity, and implement adequate policies and procedures for data security.

As part of the settlement, Montefiore Medical Center agreed to pay the hefty fine and implement a corrective action plan. This plan includes conducting risk assessments, developing risk management strategies, enhancing monitoring mechanisms, revising policies, and providing staff training on HIPAA compliance.

The settlement serves as a stark reminder of the importance of cybersecurity in healthcare and the legal obligations to protect patient information. OCR will closely monitor Montefiore Medical Center’s compliance over the next two years to ensure ongoing adherence to HIPAA regulations.