Albert Einstein-Affiliated Montefiore Settles for $4.75M Over Insider’s Theft of Patient Info
A 10-year-old breach of patients’ protected health information by a then-employee has cost Montefiore Medical Center a $4.75 million settlement with the HHS Office for Civil Rights (OCR), which alleged HIPAA violations occurred when “one of their employees stole the electronic protected health information of 12,517 patients and sold the information to an identity theft ring.” Montefiore’s website describes it as the “University Hospital and Academic Medical Center for Albert Einstein College of Medicine.”
According to OCR’s Feb. 6 announcement, in “May 2015, the New York Police Department informed Montefiore Medical Center that there was evidence of theft of a specific patient’s medical information. The incident prompted Montefiore Medical Center to conduct an internal investigation.” Montefiore found the theft occurred from Jan. 1 through June 30, 2013. It notified OCR of the breach on July 22, 2015. The employee “inappropriately accessed patient account information, including the patient’s name, address, [Social Security number], next of kin, and health insurance information” from Montefiore’s electronic medical records system, OCR said in settlement documents. Requirements under the two-year corrective action plan include conducting a security risk assessment, revising policies and procedures and retraining workers. The payment is the largest since a $5.1 million settlement with Lifetime Healthcare Companies, including its affiliate Excellus Health Plan, in 2021, which resulted from a breach of 9.3 million individuals’ records. However, since 2019, when the University of Texas MD Anderson Cancer Center successfully fought OCR’s $4.3 million fine, the agency has routinely reached settlements that rarely exceed several hundred thousand dollars.
Link to settlement
