Employer Pays $4.75 Million after Employee Stole, then Sold, Protected Health Information

While HIPAA training may feel tedious and appear to be a waste of time and payroll, it’s crucial not to take shortcuts when it comes to compliance!

First, HIPAA Privacy and Security Rules were created to protect sensitive patient information and improve the quality of care patients receive. Patients should feel comfortable sharing their most private health information with healthcare providers during their examinations and treatments. If patients fear their information will not remain confidential, they are less likely to be transparent, potentially impacting the care they receive.

Second, as a Covered Entity under HIPAA, the pharmacy is responsibility to ensure staff are adequately trained and appropriate safeguards are in place to secure protected health information (PHI). Look no further than the February 6, 2024 press release from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to see how expensive brushing off your obligations to the HIPAA Security Rule can be. According to the release, Montefiore Medical Center settled with OCR for a jaw dropping sum of $4.75 million dollars for several potential violations of the HIPAA Security Rule. As outlined in the release, an employee stole the electronic PHI of 12,517 patients and sold that information to an identity theft ring. The police notified Montefiore Medical Center of the situation after they had “evidence of theft of a specific patient’s medical information”. Only after the police notified Montefiore, two years after the employee stole the data, did the Medical Center perform an internal investigation and find the breach.

During the OCR’s investigation, they found “multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its heath information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information. Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.”

Lastly, learn from Montefiore Medical Center mistakes and follow these PAAS Tips:

  • Prioritize having a comprehensive HIPAA training program
    • In place for all employees involved in the handling of PHI
    • Ensures HIPAA Rules are equally enforced across all levels of staff
    • Employees understand the importance of taking their training seriously.
    • HIPAA training should include information about civil, monetary, and criminal penalties for violations of the HIPAA Rules to reinforce the importance of compliance.
  • Review and update, no less then annually, your HIPAA Risk Analysis to ensure you have the proper safeguards in place. This is a required HIPAA form and must be retained for six years.
  • Ensure there are adequate safeguards in place to prevent and detect malicious behavior; for more information review the following Newsline articles:

If you are not sure where to start, contact PAAS National®® (608) 873-1342 for more information on PAAS’ FWA/HIPAA Compliance Program that is easy to set-up, web based and customized for your pharmacy.

Sara Hathaway, PharmD