$4.75 Million HIPAA Breach Case with HHS Settled

The U.S. Department of Health and Human Services (HHS) recently settled with Montefiore Medical Center (MMC) for $4.75 million due to a breach of electronic protected health information (ePHI), according to an article by Rivkin Radler LLP.

The breach occurred when an MMC employee sold patient data, including names, addresses, Social Security numbers, and health insurance information, to an identity theft ring. The breach was discovered in May 2015, when MMC found that the employee had inappropriately accessed over 12,000 patient records in early 2013. MMC reported the breach to HHS in November 2015.

As part of the settlement, MMC agreed to a corrective action plan (CAP) requiring a comprehensive assessment of potential security risks to their ePHI. This assessment encompasses all MMC locations and evaluates risks in electronic equipment, data systems, and programs containing ePHI.

Additionally, MMC must develop a risk management plan addressing identified security risks and update privacy and security policies accordingly. Failure to comply with the CAP could result in civil penalties imposed by HHS.

This settlement underscores the importance of healthcare providers adhering to compliance obligations under HIPAA’s Privacy and Security Rules. These obligations include conducting regular risk assessments to identify and address vulnerabilities in data infrastructure. Compliance with these rules is essential for safeguarding patient information and preventing unauthorized access and breaches.