News: Montefiore to pay almost $5 million in fines for HIPAA violations

In a settlement with the Health and Human Services Department’s (HHS) Office of Civil Rights (OCR), Montefiore Medical Center will pay a $4.75 million fine for failing to secure patient data. The New York City-based health system was charged with several violations of the Health Insurance Portability and Accountability (HIPAA) Act Security Rule, reported HealthLeaders.

According to the HHS, Montefiore received a tip in 2015 from federal officials about a data breach. Since 2013, a former employee had been accessing the data of more than 12,000 patients through the organization’s electronic medical record system, health system officials found in an investigation. The data included names, addresses, social security numbers, and confidential medical records.

The health system failed to “analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information,” the investigators found.

The former employee was arrested and charged with three felonies. Since then, the Montefiore officials say they have taken steps to improve security and protect patient data, including expanding monitoring capabilities around patient information and implementing additional technical safeguards to protect all electronic records.

Editor’s note: To read HealthLeaders’ coverage of this story, click here. To read the HHS press release, click here.