HIPAA Breaches at Montefiore Medical Center & Belden

It has been discovered that another Montefiore Medical Center employee has accessed patient information with no work reason for doing. It was made public that, during February 2020, a member of staff had accessed medical records without authorization over a period of five months in 2020 while another employee was found to have stolen the PHI of around 4,000 patients between January 2018 and July 2020.

The most recent discovery involved a member of staff viewing the records of patients without authorization for more than 12 months. The breach was discovered by Montefiore’s FairWarning software, which monitors records for improper access.

When unauthorized medical record access was identified, the employee was suspended while an investigation was undertaken. An audit of record access confirmed that the employee had accessed records with no legitimate work reason for doing so from January 2020 to February 2021.

The range of information accessed was different from patient to patient and included full names, medical record data, addresses, email addresses, birth dates, and the final 4-digits of Social Security numbers. Montefiore does not believe financial data or clinical information was impacted.

The unauthorized record access was a breach of HIPAA and the Montefiore’s internal policies and procedures. The employee was fired and the issue was reported to the relevant law enforcement agencies for possible criminal prosecution.

Meanwhile Belden, a U.S. supplier of networking devices, faces a potential class action lawsuit in relation to a November 12, 2020 data breach in which the personal information of existing and previous staff members was breached. Cybercriminals obtained access to a small number of servers and stole staff data and information about some of its business partners.

The breach was made known to the HHS’ Office for Civil Rights OCR as it included the protected health information of 6,348 people. Names, Social Security details, tax identification info, financial account data, residential addresses, email addresses, dates of birth and other employment-related data was taken. Belden announced the breach on November 24, 2020 and began alerting impacted people individuals as of December 14, 2020.

The legal action, Edke v. Belden Inc., claims the plaintiff and class members had to wait a number of weeks before being made aware that their personal information had been illegally taken. They claim that the data breach has put them at “significant risk of identity theft and various other forms of personal, social, and financial harm.””


Author: Maria Perez