The U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) have settled with Montefiore Medical Center regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The settlement involves a $4.75 million monetary penalty and corrective actions to address various data security failures at Montefiore Medical Center. This resulted in an employee stealing and selling patients’ protected health information over six months.

In 2015, the New York Police Department (NYPD) informed Montefiore Medical Center of evidence indicating the theft of a specific patient’s medical information. Following an internal investigation, NYPD found that an employee had stolen the electronic protected health information of 12,517 patients two years prior and sold the information to an identity theft ring. Montefiore Medical Center reported This breach to the Office for Civil Rights (OCR).

The Office for Civil Rights (OCR) investigation revealed multiple potential violations of the HIPAA Security Rule, including Montefiore Medical Center’s failure to analyze and identify potential risks and vulnerabilities to protected health information, monitor and safeguard its health information systems’ activity, and implement policies and procedures to record and examine activity in information systems containing or using protected health information. These oversights left Montefiore Medical Center vulnerable to the cyberattack, and they could not detect the attack until years later.

As part of the settlement, Montefiore Medical Center will pay OCR $4,750,000 and implement a corrective action plan to better protect and secure the security of protected health information. This includes conducting a thorough assessment of potential security risks and vulnerabilities, developing a risk management plan, implementing hardware and software mechanisms to record and examine activity in information systems containing electronic protected health information, reviewing and revising written policies and procedures to comply with HIPAA Privacy and Security Rules, and providing training to its workforce on HIPAA policies and procedures.

The Office for Civil Rights (OCR) will monitor Montefiore Medical Center for two years to ensure compliance with HIPAA regulations.