New York City-based Montefiore Medical Center reached a settlement with the HHS and has agreed to pay $4.75 million due to a "data security failure."
The $4.75 million settlement stems from potential data security lapses at Montefiore Medical Center, which allowed an employee to steal and sell patients' protected health information over a six-month period, according to a Feb. 6 news release from the HHS.
The investigation into Montefiore began in May 2015 when the New York Police Department informed the hospital that it had evidence indicating the theft of a specific patient's medical information.
Subsequent internal investigations revealed that an employee had stolen electronic protected health information from 12,517 patients two years prior, selling it to an identity theft ring.
Under the settlement terms, Montefiore Medical Center will pay $4.75 million to HHS' Office for Civil Rights and implement a corrective action plan. The plan includes conducting a thorough risk assessment, developing a risk management plan, implementing mechanisms to record and examine system activity, reviewing and revising policies, and providing workforce training on HIPAA policies and procedures.
OCR will also monitor Montefiore Medical Center for two years to ensure compliance with the corrective measures.
Becker's reached out to Montefiore for comment and will update the story if more information is learned.