Montefiore settles with OCR for $4.75 million over stolen ePHI

The U.S. Department of Health and Human Services Office for Civil Rights announced Monday that the settlement and corrective action with Montefiore Medical Center, a nonprofit hospital system based in New York City, resolves multiple potential deficiencies of the Health Insurance Portability and Accountability Act .

WHY IT MATTERS

After New York Police notified Montefiore Medical Center in May 2015 that a specific patient’s medical information had been stolen, the healthcare organization conducted an investigation and subsequently reported that an employee had stolen and sold the electronically secured health information of 12,517 patients.

The employee stole and sold ePHI for six months, and OCR said in a statement that the $4.75 million monetary settlement was related to flaws in Montefiore’s data security.

While cyberattacks by malicious insiders are “not uncommon,” ePHI risks must be addressed, said OCR Director Melanie Fontes Rainer.

“This investigation and the settlement with Montefiore are an example of how the healthcare industry can be seriously targeted by cybercriminals and thieves – even within their own walls,” Fontes Rainer said in a statement.

“Cyberattacks do not discriminate based on the size or status of the organization, and it is incumbent upon our health care system to follow the law to protect patient records.”

OCR said it will monitor Montefiore Medical Center cyber security corrective action plan for two years to ensure HIPAA compliance and emphasized the need for healthcare providers, health plans, clearinghouses and HIPAA covered business partners to neutralize cyber threats with industry best practices.

The agency noted that eight regional offices provide cybersecurity training and also recommended that HIPAA covered entities consult the following resources:

THE BIG TREND

HHS worked with the Cybersecurity and Infrastructure Security Agency on a Cybersecurity Toolkit for Healthcare and Public Health in October, released a Cybersecurity Strategy for the Healthcare Sector in December, and recently announced voluntary performance goals to improve cybersecurity in the healthcare sector.

Essential targets provide a “floor of safeguards” to better protect health care organizations from cyberattacks, improve incident response and minimize risk, the agency said when it released the voluntary targets. It would also “work with Congress to obtain new authority and funding to provide financial support and incentives to domestic hospitals to implement high-impact cybersecurity practices.”

Insider threats can come from staff working on-site, as well as from the credentials of former employees. It could be helpful for healthcare systems to rethink their cybersecurity culture, according to healthcare cybersecurity experts.

Ahead of the 2023 HIMSS Cybersecurity Forum, Dr. Eric Liederman, director of medical informatics at Kaiser Permanente, said it is also critical to instill confidence in patients that healthcare organizations take their personal safety and the security of personal data seriously.

ON THE RECORD

“Cyber ​​attacks carried out by insiders are one of many ways that can lead to a security breach, leaving patients vulnerable,” HHS Assistant Secretary Andrea Palm said in the announcement. “HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Related Post