Montefiore Health System in New York City on June 19 started notifying more than 12,500 patients that their protected health information may have been compromised. Some patients have experienced identity theft.

An employee was recently found to have stolen the information during the first six months of 2013. The employee has been fired, arrested and now is being prosecuted, according to the delivery system. Law enforcement officials notified Montefiore of the theft on May 15, 2015. “To date, we have identified that the information stolen from Montefiore was used to purchase gift cards and open store credit cards in the amount of $50,000,” a spokesperson tells Health Data Management.

Also See: Contractor Reports Breach 8 Months Late

In a notice to media, Montefiore said it uses sophisticated technology to monitor for improper access of electronic patient records. Asked how the employee’s improper access was not discovered using the technology, the spokesperson said, “She found ways around the system because she was a criminal.”

Montefiore in 2013 had appropriate systems, processes and protocols in place, and the employee received extensive training on privacy and security policies along with signing a non-disclosure agreement and a code of conduct policy, the spokesperson says. The employee was part of criminal ring and all involved have been arrested.

Now, Montefiore is implementing additional technical safeguards to protect against theft of patient information in the future. The organization declines to specify the new safeguards, which is customary for security purposes.

All affected patients are being offered one year of credit monitoring and identity theft protection services, which include a $1 million insurance policy, according to the delivery system. Asked why one year is being offered when two years of protection is becoming more common, the spokesperson said that because use of the stolen information has begun, it is believed that one year will provide all affected patients with services if their identity is compromised.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access