Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Tag: Malicious Insider

Montefiore Medical Center fined $4.75M for Malicious Insider

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $4.75 million settlement with Montefiore Medical Center, a New York City hospital system. The settlement resolves multiple potential HIPAA Security Rule violations.

OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules. HIPAA requires health care providers, insurers, and other entities to protect the privacy and security of patient information.

Montefiore failed to safeguard its systems. An employee stole and sold the protected health information (PHI) of 12,517 patients over six months. Montefiore reported the breach after the NYPD uncovered the theft in 2015.

OCR’s investigation found Montefiore failed to:

  • Analyze and identify risks to PHI.
  • Monitor activity on its information systems.
  • Implement effective policies and procedures.

Because of these failures, Montefiore did not prevent or detect the attack until years later.

Settlement Terms

Montefiore must pay $4.75 million and follow a Corrective Action Plan (CAP). The CAP requires Montefiore to:

  • Conduct a complete risk analysis.
  • Develop and implement a risk management plan.
  • Install monitoring systems to record and review PHI activity.
  • Review and update HIPAA policies and procedures.
  • Train staff on HIPAA requirements.

OCR will monitor Montefiore for two years.

Key Quotes

OCR Director Melanie Fontes Rainer said:
“Cyber-attacks from malicious insiders are not uncommon. The risks to patient information cannot be ignored. Health care systems must follow the law and act quickly to protect records.”

HHS Deputy Secretary Andrea Palm added:
“Patients must trust providers to protect their records. Our priority remains safeguarding patients and ensuring providers implement strong security policies.”

OCR reported that 134 million people were affected by large breaches in 2023, compared to 55 million in 2022. OCR urges health care providers, health plans, and business associates to:

  • Conduct regular risk analyses.
  • Monitor information system activity.
  • Use multi-factor authentication.
  • Encrypt PHI.
  • Train staff frequently.
  • Update policies based on lessons learned from incidents.

OCR continues to provide training, newsletters, and webinars to help the health care sector strengthen data privacy and cybersecurity.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC