Malicious Insider Breach Costs $4.75M
3/31/2024
The U.S. Department of Health & Human Services, Office for Civil Rights (“OCR”) recently announced a $4.75 million settlement with a New York City hospital relating to alleged employee theft of patient information over a six-month period. By way of background, in May 2015, the New York Police Department informed the hospital that there was evidence of theft of a specific patient’s medical information. The hospital thereafter conducted an investigation and discovered that, two years prior, one of its employees stole the electronic health information of over 12,517 patients and sold the information to an identity theft ring. The OCR found multiple potential violations of HIPAA by the hospital, including failures by the hospital to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that records and examine system activity in information systems containing or using protected health information. In addition to the monetary settlement, the hospital is required to implement a corrective action plan and undergo two years of OCR monitoring.
In its announcement, the OCR noted: “In OCR’s breach reports, over 134 million individuals have been affected by large breaches in 2023, whereas 55 million were affected in 2022. OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA must implement safeguards to mitigate or prevent cyber threats.”
Click Here to read the entire March 2024 Healthcare Law Update now!
If you need assistance with your HIPAA compliance program, an OCR investigation, or a data breach incident, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com
