Montefiore Medical Center Settles

This week our U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced their Montefiore Medical Center (MMC) settlement. MMC has agreed to pay $475M and enter a two year corrective action plan, following a 2015 reported employee theft of protected health information (PHI).

Alerted to the theft by the New York Police Department, it is reported that MMC conducted their own internal investigation and discovered that two years prior an employee sold the PHI of 12,517 patients to an identity theft ring.

We all want our people to do their best and trust that we would never hire someone that would act with criminal intent. But as this case shows, some people will let their organization down.

OCR's investigation demonstrated that MMC potentially violated the HIPAA Security Rules, including MMC's failure to "...analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information..." - pretty non-compliant actions for a non-profit hospital system.

We encourage our partner-clients to share this information and use it to communicate to their leadership team that vulnerabilities exist, even within the four walls occupied by a great team. Click the graphic below to read the settlement agreement.

Stay (HIPAA) safe,

Alan -