Report on Patient Privacy 24, no. 3 (March, 2024)
Although the HHS Office for Civil Rights (OCR) described its recent $4.75 million agreement with a Bronx, New York, hospital as settling a “malicious insider cybersecurity investigation,” the agency considered a total of 11 breaches Montefiore Medical Center experienced from 2010 to 2022 in establishing sanctions, RPP has learned.
As with many other OCR investigations that lead to settlements, the lack of a risk analysis was a central finding in this case and figured in a $40,000 agreement the agency also issued last month. In a related development, OCR Director Melanie Fontes Rainer in late February announced the agency was launching a “risk analysis enforcement initiative,” although she provided few details.
Regarding the Montefiore settlement, the agency drew attention to an employee found in 2015 to have stolen the protected health information (PHI) of 12,517 patients and who later “sold the information to an identity theft ring.”[1] It is not clear how or why this qualifies as a “cyber-attack,” as Fontes Rainer called it, rather than an ordinary employee-turned-criminal situation.
The employee acted over a six-month period in 2013, but the theft wasn’t discovered until 2015, following a tip from the New York Police Department.
“OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information,” OCR said in its Feb. 6 announcement. “Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.”
This breach is one of 11 listed on OCR’s reporting website where breaches affecting 500 or more individuals are posted.
In response to RPP’s questions, the agency acknowledged it factored the medical center’s history into the financial penalty and accompanying two-year corrective action plan (CAP).
“OCR considered the eight reported breaches submitted by Montefiore Medical Center as part of the investigation and resolution of this matter,” the agency told RPP. “OCR also investigated three breaches in which Montefiore Medical Center took appropriate corrective action.”
RPP asked both OCR and Montefiore what the $4.75 million was based on. OCR said it “generally does not comment” on its negotiations. “OCR considers multiple factors in determining the terms of a settlement including the number of potential violations and the length of the potential violations,” it said. The amount is the sixth largest in OCR’s history.
Montefiore did not answer any of RPP’s questions, including whether it considered the $4.75 million penalty fair. It issued a general statement regarding its response to the incident, in which the medical center highlighted and enumerated enhanced safeguards it has implemented. It did not admit to wrongdoing as part of the settlement.
The medical center is one of 10 hospitals in the Montefiore Health System, which includes Albert Einstein College of Medicine. It was recently in the news after receiving a $1 billion donation, which will be used to fund medical students’ tuition.
Asked why it took eight years to conclude the investigation and reach a settlement, OCR similarly told RPP it “does not comment on the negotiations. Some investigations can take longer to complete, particularly if there are multiple breach reports filed while a regulated entity is under investigation.”
Employees—Not External Hackers—Committed Breaches
Despite Montefiore experiencing nearly a dozen breaches, the total number of affected individuals was fewer than 142,000—and a breach by a business associate (BA) following a ransomware attack accounted for 76,068 of those. The number is a far cry from the millions whose PHI was exposed in other breaches.
In a statement provided to RPP, Montefiore officials said they “take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients’ privacy.” The statement noted the 2015 breach “dates back many years ago and was self-reported by Montefiore”—which is required under the Breach Notification Rule.
The employee involved was fired, arrested for three felonies and “successfully prosecuted for this crime,” Montefiore said.
The 2015 incident is one of seven Montefiore reported that involved an employee. Aside from the identity theft angle, it is not the most significant in terms of the number of patients affected nor the one with perhaps the most worrying circumstances from a compliance perspective.
In September 2020, Montefiore notified the public that an employee “stole approximately four thousand patient names, addresses, dates of birth, and Social Security numbers between January 2018 and July 2020.”[2]
In its notification of the September 2020 incident, the hospital said it “requires criminal background checks on all employees and has comprehensive privacy policies, including a strict Code of Conduct that prohibits employees from looking at patient records unless they have a work-related reason. The employee involved in this case received significant privacy and security training but chose to violate Montefiore’s policies. Montefiore’s sophisticated technology that monitors improper access to electronic patient records identified the employee. In the wake of this breach Montefiore is expanding monitoring capabilities and employee training programs to bolster privacy safeguards and standards.”
CAP Requirements Mirror Alleged Failures
As described in the settlement documents, OCR alleged that the medical center failed to:[3]
-
“Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information (ePHI).
-
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking” and
-
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use.”
Under the settlement, finalized in November, Montefiore is required to conduct a risk analysis, develop and implement a corresponding risk management plan. It also must “develop a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI based on the findings of the Risk Management Plan.”
Training on any revised policies and procedures is also required.
OCR: Enforcement Needed to Spur Risk Analyses
Fontes Rainer announced the risk analysis initiative during her talk at the HIPAA Summit late last month. OCR has already begun the initiative, Fontes Rainer said, but did not indicate when it started.
Lack of a risk analysis “is something we see in almost every single one of our enforcement actions,” she said. “This is not a new trend.” She said some organizations conduct their analysis but “don’t use it.”
“No matter what the size of the organization is, or the type of intrusion into their system, we’re seeing that the risk analysis is missing,” Fontes Rainer said.
The initiative will “highlight the compliance problems with the HIPAA Security Rule requirement” for the analysis “to draw more attention from our regulated industry—providers, health plans, data clearinghouses,” she said.
OCR will be “selecting certain cases where regulated entities failed to implement a compliant risk analysis” that result in settlements with corrective actions,” she said. OCR officials will “try to put emphasis on this and drive compliance in this space because we think it’s such a critical step to overall protection of electronic protective health information and patient privacy,” Fontes Rainer added.
She did not say how many such settlements there might be or what financial penalties could be imposed, but covered entities and business associates should consider themselves warned.
Security Rule compliance “is a priority area for enforcement within OCR,” Fontes Rainer said. “It’s one [on] which my staff across the country are very focused…specifically with the risk analysis initiative.
1 U.S. Department of Health and Human Services, “HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million,” news release, February 6, 2024, https://bit.ly/49CXmYv.
2 Montefiore, “Montefiore Notifies Patients of Security Breach and Potential Identity Theft,” news release, September 18, 2020, https://www.montefiore.org/data-security-breach.
3 U.S. Department of Health and Human Services, “Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (‘HHS’) and Montiefore,” content last reviewed February 6, 2024, https://bit.ly/4bWDqBD.
[View source.]