Montefiore Medical Center agreed to pay $4.75 million to settle allegations by the Department of Health and Human Services’ Office for Civil Rights (HHS OCR) that failures by the New York City nonprofit facility allowed an employee to steal and sell patient information for six months.

The medical center engaged in multiple data security shortcomings that violated the Health Insurance Portability and Accountability Act (HIPAA), including failing to safeguard patient medical information, conduct risk assessments of the security of the medical data in its files, and carry out policies and procedures that monitored access and activity to the information, the OCR said Tuesday in a press release.

The details: The alleged failures came to light after the hospital was contacted by police in May 2015 about possible data theft of a particular patient’s medical information. Montefiore investigated and found that, two years earlier, an employee had stolen the medical information of 12,517 patients and sold that info to an identity theft ring, per the OCR. The hospital then filed a breach report with the regulator.

Compliance considerations: Montefiore must implement a corrective action plan to protect patient data, including:

  • Conducting an accurate and comprehensive risk assessment of electronic patient information regarding security, confidentiality, and integrity;
  • Writing a risk management plan that mitigates security risks identified by the OCR;
  • Updating computer hardware, software, and systems as necessary to protect data and monitor access to it;
  • Updating written policies to comply with HIPAA rules; and
  • Providing training to employees about HIPAA policies and procedures.

The OCR will monitor Montefiore’s compliance for two years, it said.

“Cyberattacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” HHS Deputy Secretary Andrea Palm said in the release. “… HHS will continue to remind healthcare systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”

Montefiore could not be reached for comment.