Unauthorized Access to Personal Information
Bronx, New York—April 22, 2022—Montefiore Medical Center (“Montefiore”) has notified certain patients about an incident involving the unauthorized access of personal information. In November 2021, Montefiore learned that an employee may have improperly accessed patient records from its electronic medical record system in violation of its policies. Between November 23, 2021 and March 31, 2022, Montefiore further investigated the incident and determined that the employee inappropriately accessed patient information without a role-based reason between January 2018 and November 2021. The employee was suspended during the investigation and was subsequently terminated. In addition, Montefiore referred this incident to law enforcement to support possible criminal prosecution.
The patient information accessed by the former employee may have included demographic data, such as first and last name, medical record number, address, phone number, email address, date of birth, health plan name, and/or last 4 digits of Social Security number. There is no evidence that clinical information, full Social Security numbers, credit card numbers or any other financial information were accessed.
Montefiore performs criminal background checks on all employees and has a robust compliance program, which includes comprehensive policies and procedures, including a strict Code of Conduct that prohibits employees from looking at patient records unless there is a work-related reason to do so; ongoing training of its employees; and both random and targeted audits of medical records access. Montefiore has taken additional steps to try to prevent this type of incident from occurring in the future, including training its employees on their privacy obligations.
While Montefiore does not have evidence that any of the information accessed has been misused at this time, as an added precaution, Montefiore is offering impacted patients complimentary identity theft protection services through IDX®, a data breach and recovery services expert, for one year. Patients with questions regarding this incident can visit https://app.idx.us/account-creation/protect or call 1-(833) 381-2285 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major holidays.
This notice is being provided in accordance with the substitute notice requirements of the Health Insurance Portability and Accountability Act, as amended by Health Information Technology for Economic and Clinical Health Act. Montefiore Medical Center has notified impacted patients and will notify relevant regulatory bodies, including the U.S. Department of Health and Human Services.