HHS settles cybersecurity investigation with Montefiore Medical Center.

Montefiore Medical Center, based in New York City, has agreed to pay $4.75 million to settle allegations that data security failures allowed an employee to steal and sell the protected health information of thousands of patients. The employee had taken data from over 12,500 patients two years prior and sold it to an identity theft ring. The Office for Civil Rights (OCR) found that Montefiore had multiple potential violations of the HIPAA Security Rule and lacked key safeguards to detect or prevent the attack. The settlement highlights the growing concern about cybersecurity in the healthcare sector, with the OCR reporting a significant increase in large breaches affecting millions of people. The OCR will monitor Montefiore for two years and the medical center will implement a corrective action plan. Montefiore has already taken steps to improve security, including increased staff training and expanded monitoring capabilities. [Extracted from the article]