A non-profit hospital system based in New York City has consented to pay $4.75 million for contravening the Health Insurance Portability and Accountability Act (HIPAA). The inquiry was led by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), an agency within HHS that implements federal civil rights, privacy, and security laws in health care.

According to a news release from HHS, an employee at Montefiore Medical Center managed to gather and sell patients' protected health information over a six-month period due to data security failures within their system. In December, HHS released a cybersecurity strategy for the health care sector, along with voluntary performance goals. The hospital has agreed to implement measures to protect patient data that include updating software, investigating and rectifying security risks, and providing HIPAA training to employees.

"Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently," said OCR Director Melanie Fontes Rainer. "This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it's incumbent that our health care system follows the law to protect patient records."

The news release stated that Montefiore Medical Center was alerted by the New York Police Department in May 2015 that their patients' medical information had been compromised. An internal investigation by the hospital revealed that an employee provided an identity theft ring with electronic protected health information of 12,517 patients for monetary gain. The hospital notified OCR of their findings.

"Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable," said HHS Deputy Secretary Andrea Palm. "Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients' medical information secure."