On Feb. 6, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $4.75 million settlement with New York nonprofit health system Montefiore Medical Center over alleged malicious insider conduct that caused potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows two other recent investigations that led to OCR’s first-ever settlements stemming from ransomware and phishing attacks.
Covered entities and business associates subject to the HIPAA Security Rule should be aware that OCR may hold them accountable for breaches not only from outside the walls of the organization, but also from within.
The Reported Conduct and Settlement
Montefiore reported in 2015 that two years prior, a Montefiore employee had spent nearly six months inappropriately accessing, through Montefiore’s electronic medical record system, the patient account information — including name, address, Social Security number, next of kin and health insurance information — of 12,517 patients. The employee sold this patient information, all of which is collectively electronic protected health information (ePHI), to an identity theft ring.
In its subsequent investigation, OCR found that Montefiore potentially violated HIPAA by:
- failing to conduct an accurate and thorough risk analysis of the potential vulnerabilities to the confidentiality, integrity and availability of the hospital’s ePHI;
- failing to implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking;
- failing to implement hardware, software and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
As part of the settlement, Montefiore agreed to pay $4.75 million, without admitting liability, and to be bound by a comprehensive corrective action plan (CAP).
Corrective Action Plan
For the next two years, OCR will require Montefiore to implement several corrective actions, including commencing a comprehensive security risk analysis. The CAP requires Montefiore to take an inventory of all its facilities, equipment and systems — anything that contains ePHI — as well as its environmental controls, and to update its risk analysis accordingly. After OCR approves the risk analysis, Montefiore must then develop a written risk management plan to address and mitigate the vulnerabilities identified in the risk analysis, which OCR must also approve. After approval of the risk management plan, OCR will require Montefiore to implement audit controls that track activity in all information systems that contain ePHI.
The CAP requires Montefiore to make substantial changes to its policies and procedures that include the risk analysis, risk management plan and audit controls, as well as a list of minimum content that OCR sets forth in the CAP. As part of the CAP, Montefiore must distribute the new policies and procedures to employees with access to PHI, all of whom must sign a certification that they have read, understand and will abide by such procedures. The CAP imposes training and reporting standards on Montefiore, the violation of which — or any of the CAP — can result in civil monetary penalties.
Implications
Healthcare entities can be excellent targets for cyberattacks, due in no small part to the fact that many healthcare organizations are “target rich, cyber poor.” Some healthcare organizations may find investing in cybersecurity low on their priority lists. In response to such a sentiment, HHS released voluntary cybersecurity performance goals catered to the healthcare and public health sectors. In addition, healthcare organizations — no matter how big or small — can access helpful guidance through HHS’ and the Cybersecurity & Infrastructure Security Agency’s joint cybersecurity toolkit. With these resources available, if healthcare entities become victims of a breach of ePHI without having adequate security measures in place, they may face an OCR investigation and similar penalties or enforcement actions.
McGuireWoods has extensive experience advising clients on HIPAA compliance. For additional information on the data privacy and security obligations of covered entities and business associates under HIPAA, please contact one of the authors.