Patients of the Montefiore Medical Center in New York have received the fourth notice of a data breach that affects them in just seven months. The culprit is reportedly an employee who abused his access to the clinic’s systems. The data accessed by that person includes patient names, medical record numbers, physical addresses, email addresses, dates of birth, and the last four digits of their social security numbers (SSNs). Credit card details and clinical details weren’t accessed.
The Montefiore Medical Center states that this happened in violation of its privacy policies and that all employees access only what they need for work-related reasons. Upon discovering the abuse, the employee was immediately suspended and will face the relevant legal consequences. The clinic discovered the violation thanks to the ‘FairWarning’ software that is deployed on its systems, monitoring the type of access that its employees engage in and alerting the administration about risky cases.
Although this sounds like a properly safeguarded system, that was the fourth breach notification that Montefiore had to distribute to patients. Here’s a summary of all recent notices:
April 2021 notice – Inappropriate access by employee occurring between January 2020 and February 2021. No numbers of affected individuals were given.
January 2021 notice – Incident occurred between June 2020 and November 2020, involving the illegal access of data by an employee. 1,787 patients were impacted.
December 2020 notice – Employee accessed patient data and attempted to engage in insurance fraud. The incident affected 670 patients.
September 2020 notice – Employee stole 4,000 patient records between January 2018 and July 2020.
In all cases, Montefiore fired the employees and reported them to the authorities to launch a criminal investigation. However, we see rampant violations and repeated insider incidents even though the medical center uses monitoring tools and is serious about it. Also, Montefiore’s announcement mentions that all employees go through criminal background checks before they are given access to the clinic’s systems.
If an entity with a strict code of conduct, monitoring systems in place, and detailed background checks suffers four data breaches from internal access violations, we can only imagine what happens with other medical service providers who follow more relaxed or even non-existent privacy protection and data security policies.
In conclusion, whatever clinic you may have visited in the past, and no matter what data protection procedures they claim to follow, be vigilant and treat all incoming communications with alertness. Abuse is always a probability - and given enough time, a certainty.