Montefiore Medical Center – Notice of Privacy Incident

Bronx, New York—September 23, 2022—Montefiore Medical Center (“Montefiore”) has notified certain patients about a privacy incident involving their demographic and clinical information.  In July 2022, Montefiore learned that a research coordinator’s USB storage device was stolen.  Between July 18, 2022 and August 25, 2022, Montefiore’s investigation determined that the USB storage device contained demographic and clinical information of some Montefiore patients. There is no evidence that Social Security numbers, credit card numbers or any other payment-related information were stored on the USB storage device.  The theft was immediately reported to local law enforcement.

The patient information stored on the USB storage device may have included demographic data, such as first and last names, medical record numbers, email addresses and dates of birth, as well as clinical information, such as the name of the treatment location, provider names, dates of service, reason for visit(s), an indication of previous diagnoses (including in some cases sensitive diagnoses), medications, test results and other treatment-related information.    

Montefiore has a robust compliance program, which includes comprehensive policies and procedures, ongoing training of its employees and a sophisticated IT security infrastructure.  Montefiore has taken additional steps to prevent this type of incident from occurring in the future, including more intensive training of its employees on their privacy obligations.  Montefiore is also reviewing and revising its procedures regarding storage of patient information on portable devices and is enhancing its security tools to monitor and control the transfer of electronic patient information to portable storage devices.  In this instance, the research coordinator was suspended for not following Montefiore policies.

While Montefiore does not have evidence that any of the information accessed has been misused at this time, as an added precaution, Montefiore is offering people impacted complimentary identity theft protection services through IDX®, a data breach and recovery services expert, for one year.   Individuals with questions regarding this incident can visit or call 1– (833) 903 –3648 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major holidays.

This notice is being provided in accordance with the substitute notice requirements of the Health Insurance Portability and Accountability Act, as amended by Health Information Technology for Economic and Clinical Health Act.  Montefiore has notified impacted patients and will notify relevant regulatory bodies, including the U.S. Department of Health and Human Services.