EHR snooping at Montefiore leads to security breach

The New York health system said an employee, who has been fired, inappropriately accessed electronic health records and viewed clinical information, including test results and diagnoses.
By Mike Miliard
02:59 PM
Montefiore Medical Center

Montefiore Medical Center is notifying patients of a recent security breach that involved illegal access to HIPAA protected health information by a former employee.

The incident occurred between June 2020 and November 2020, according to Montefiore, which "immediately deactivated the employee’s access to the electronic medical record system," officials said in a notice to patients. "After a thorough investigation, the employee was fired and the case was referred to law enforcement for possible criminal prosecution."

Montefiore officials say the employee accessed a variety of patient information, potentially including names, addresses, dates of birth, medical record numbers and the last four digits of patients' Social Security numbers.

Certain clinical information – test results, diagnoses and visit histories – might also have also been inappropriately accessed, according to the Bronx-based health system.

Officials say there's no evidence that patient data was used for identity theft, or that financial information such as credit card numbers were accessed.

Montefiore says it will provide identity theft protection services from IDX at no cost to patients affected by this breach, including a year of credit monitoring, a $1,000,000 insurance reimbursement policy, access to fraud resolution representatives and more.

Insider snooping by employees and staff has long been a major security concern for hospitals and health systems.

In years past, high-profile cases have involved celebrity patients such as Kim Kardashian and George Clooney.

Privacy issues have been highlighted since the start of the COVID-19 public health emergency – especially with new challenges, such as temporary field hospitals, remote-work employees and rapid telehealth deployments.

In March 2020, for instance, security firm CynergisTek updated its Patient Privacy Monitoring Services to help providers more proactively identify hospital insiders who might be seeking information they're unauthorized to access about coronavirus and COVID-19.

"We apologize for any inconvenience to our patients that this breach has caused," said Robert Dalrymple, chief information security officer at Montefiore Medical Center, in a statement. "We are taking steps to implement additional safeguards to strengthen the security of our systems."

Twitter: @MikeMiliardHITN
Email the writer:

Healthcare IT News is a HIMSS publication.

More regional news

A programmer using a computer.

(Photo by skynesher/GettyImages)

Tift Regional Medical Center sepsis IT

The new Tift Regional Medical Center expansion will open in the fall of 2021 in Tifton, Georgia. The 263,000-square-foot, four-story tower will include a new emergency center, inpatient units and new ICU. (Credit: Tift Regional Medical Center)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.