Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Montefiore Medical Center fined $4.75M for Malicious Insider

Posted bySuze Shaffer
Insider threats

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $4.75 million settlement with Montefiore Medical Center, a New York City hospital system. The settlement resolves multiple potential HIPAA Security Rule violations.

OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules. HIPAA requires health care providers, insurers, and other entities to protect the privacy and security of patient information.

Montefiore failed to safeguard its systems. An employee stole and sold the protected health information (PHI) of 12,517 patients over six months. Montefiore reported the breach after the NYPD uncovered the theft in 2015.

OCR’s investigation found Montefiore failed to:

  • Analyze and identify risks to PHI.
  • Monitor activity on its information systems.
  • Implement effective policies and procedures.

Because of these failures, Montefiore did not prevent or detect the attack until years later.

Settlement Terms

Montefiore must pay $4.75 million and follow a Corrective Action Plan (CAP). The CAP requires Montefiore to:

  • Conduct a complete risk analysis.
  • Develop and implement a risk management plan.
  • Install monitoring systems to record and review PHI activity.
  • Review and update HIPAA policies and procedures.
  • Train staff on HIPAA requirements.

OCR will monitor Montefiore for two years.

Key Quotes

OCR Director Melanie Fontes Rainer said:
“Cyber-attacks from malicious insiders are not uncommon. The risks to patient information cannot be ignored. Health care systems must follow the law and act quickly to protect records.”

HHS Deputy Secretary Andrea Palm added:
“Patients must trust providers to protect their records. Our priority remains safeguarding patients and ensuring providers implement strong security policies.”

OCR reported that 134 million people were affected by large breaches in 2023, compared to 55 million in 2022. OCR urges health care providers, health plans, and business associates to:

  • Conduct regular risk analyses.
  • Monitor information system activity.
  • Use multi-factor authentication.
  • Encrypt PHI.
  • Train staff frequently.
  • Update policies based on lessons learned from incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Ensure your Compliance Officer understands their responsibility.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Patient right of access to medical records

Patient Right of Access delays cost Optum Medical Care $160K

November 15, 2023
Change Healthcare Cyberattack

Change Healthcare Cyberattack

March 13, 2024
©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC