The Health and Human Services Department's Office for Civil Rights has reached a $4.75 million settlement with Montefiore Medical Center for alleged violations of the Health Insurance Portability and Accountability Act, HHS announced Tuesday.
In 2013, an unnamed former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, according to HHS. The New York City hospital did not detect or report the breach to the Office for Civil Rights until 2015.
Related article: What the feds’ digital health privacy push could mean for providers
HHS said its investigation found several potential HIPAA violations, mainly alleged lapses in the hospital's ability to safeguard patient information that led to the cyberattack going undiscovered for roughly two years.
In addition to the settlement, the hospital agreed to an action plan that will require it to identify any potential security risks, create a risk management plan and begin recording and tracking all electronic health record activity to monitor who is accessing patient information. The hospital will also review and revise policies related to HIPAA and provide additional training to staff on the policies.
“With health systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients' privacy," a Montefiore spokesperson said Tuesday.
HHS will monitor the hospital for the next two years, the department said.
In 2023, almost 133 million individuals were affected by healthcare data breaches in which their information was stolen or otherwise exposed, according to HHS.
