Montefiore employee terminated after data breach affected up to 4,000 patient records

On Friday, Montefiore Medical Center alerted patients that a former employee had recently stolen personal information from roughly 4,000 patient records, which led Montefiore to terminate the employee upon learning of the security breach and potential identity theft.

The hospital discovered the breach in July, and determined that addresses, dates of birth and Social Security numbers were potentially compromised over a period of more than two years, from January 2017 to July of this year. 

While there's no evidence to date that the patient information was used for the purposes of identity theft, a New York Police Department investigation is still underway.

Montefiore requires criminal background checks on all employees and in its notice to patients it touted its privacy policies, including a strict code of conduct that prohibits employees from looking at patient records unless they have a work-related reason. The employee involved in this case received significant privacy and security training but allegedly chose to violate the hospital's policies. The activity was sussed out using technology that monitors improper access to electronic patient records.

In the wake of this breach, Montefiore said it is expanding monitoring capabilities and employee training programs to bolster privacy safeguards and standards.

It's also offering all affected patients identity-theft-protection services through data breach and recovery company ID Experts. Patients will receive identity recovery services, 12 months of credit monitoring and a $1,000,000 insurance policy. 

Patients with questions regarding this incident can visit https://app.myidcare.com/account-creation/protect or call 1-833-755-1027, Monday through Friday, 9 a.m. to 9 p.m. Eastern Time, excluding major holidays, with the costs fully covered by Montefiore.

THE LARGER TREND

The Montefiore breach is the latest such breach to occur at a major hospital or health system. Just this month, NorthShore University HealthSystem reported that protected health information was involved in a data security breach, and Northwestern Memorial Healthcare alone said it recently notified about 56,000 donors and patients that their information may have become compromised. Those breaches have been reported to the U.S. Department of Health and Human Services' Office for Civil Rights.

In June, HHS reported an increase in cybersecurity breaches in hospitals and providers' networks, which the agency thinks may be the result of hackers taking advantage of the distractions caused by the COVID-19 pandemic.

Between February and May, there were 132 reported breaches, an almost 50% increase from the same period last year. Natali Tshuva, CEO and cofounder of Sternum, an IoT cybersecurity company that provides medical device manufacturers with built-in security solutions, said that gaining control through patients' medical devices has become a common technique for hacking during the pandemic because more people are using remote care.

These breaches can be costly. The average breach, according to the Ponemon Institute, costs nearly $3 million and exposes roughly 10,000 records.

Twitter: @JELagasse
Email the writer: jeff.lagasse@himssmedia.com