Montefiore Notifies Patients of Security Breach and Potential Identity Theft
Employee Fired and Investigation On-Going
September 18, 2020
Montefiore Medical Center is notifying patients about a security breach involving information accessed illegally by a former employee. In July of 2020, Montefiore discovered that the employee allegedly stole approximately four thousand patient names, addresses, dates of birth, and Social Security numbers between January 2018 and July 2020. The employee was fired, and an NYPD investigation is underway. To date, there is no evidence that this patient information has been used for identity theft.
Montefiore requires criminal background checks on all employees and has comprehensive privacy policies, including a strict Code of Conduct that prohibits employees from looking at patient records unless they have a work-related reason. The employee involved in this case received significant privacy and security training but chose to violate Montefiore’s policies. Montefiore’s sophisticated technology that monitors improper access to electronic patient records identified the employee.
In the wake of this breach Montefiore is expanding monitoring capabilities and employee training programs to bolster privacy safeguards and standards.
In addition, Montefiore is offering all affected patients identity theft protection services through ID Experts®, a data breach and recovery services company. Patients will receive identity recovery services, 12 months of credit monitoring and a $1,000,000 insurance policy. Patients with questions regarding this incident can visit https://app.myidcare.com/account-creation/protect or call 1-833-755-1027 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major holidays. These costs will be fully covered by Montefiore.
Montefiore deeply regrets this incident and will not tolerate any violation of patient privacy. In support of all HIPAA guidance and laws, we view this activity to be criminal in nature and are fully cooperating with law enforcement as the case moves forward.
This press release is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Montefiore Health System has notified affected members and the Department of Health and Human Services (HHS).