From their web site:
Montefiore Health System is notifying certain patients about a security incident involving information that was stolen by a former employee. The employee compromised the information of 12,517 patients, which included names, addresses, dates of birth, Social Security numbers, next of kin information, and health insurance details. The theft occurred between January 2013 and June 2013. The employee was fired, arrested and is now being prosecuted for this crime.
Montefiore will not tolerate any violation of our patients’ privacy. We are working closely with law enforcement, including the Manhattan District Attorney’s office to assist in their investigation. Following this theft, Montefiore is expanding both our technology monitoring capabilities and employee training on safeguarding and accessing patient records to further bolster our privacy safeguards.
The police have advised Montefiore that the employee may have sold the stolen patient information and this could result in identity theft. To safeguard affected individuals from any potential misuse of their personal information, Montefiore is offering all impacted patients identity theft protection services through ID Experts®, a data breach and recovery services expert. Affected patients will receive complete identity recovery services, 12 months of credit monitoring and a $1,000,000 insurance policy. All patients who have been impacted by this incident will receive a letter from Montefiore with more information.
Patients with questions regarding this incident can visit www.myidcare.com/recoveryprotect or call 1-888-266-9438 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major holidays.
The employee who was arrested chose to violate established hospital policies, the trust of our patients and the law. We deeply regret that this crime has occurred and for any burden that this incident may cause.
Note the difference between the statement on their site and this press release, also issued today, that makes it clear that Montefiore did not discover the breach on their own:
Montefiore Health System is notifying certain patients about a security incident involving information that was stolen by a former employee. On May 15, 2015, Montefiore was informed by law enforcement that the employee stole patient names, addresses, dates of birth, Social Security numbers, next of kin information, and health insurance details. The theft occurred between January 2013 and June 2013. The employee compromised the information of 12,517 patients. The employee was fired, arrested and is now being prosecuted for this crime. Montefiore is fully cooperating with law enforcement, including the Manhattan’s District Attorney’s office.
Montefiore performs criminal background checks on all employees and has comprehensive policies and procedures, as well as a Code of Conduct, which prohibit employees from looking at patient records when there is not a work-related reason to do so. Montefiore uses sophisticated technology to monitor for improper access by employees to our electronic patient records; however, this employee committed a criminal act. Following this theft, Montefiore is expanding both its technology monitoring capabilities and employee training on safeguarding and accessing patient records to further bolster our privacy safeguards. The employee involved in this case received significant privacy and security training and despite that training, chose to violate our policies. In response to this incident, Montefiore is also adding additional technical safeguards to protect patient information from theft or similar criminal activity in the future.
The police have advised Montefiore that the employee may have sold the stolen patient information and this could result in identity theft. To safeguard affected individuals from any potential misuse of their personal information, Montefiore is offering all impacted patients identity theft protection services through ID Experts®, a data breach and recovery services expert. Affected patients will receive complete identity recovery services, 12 months of credit monitoring and a $1,000,000 insurance policy. Patients with questions regarding this incident can visit www.myidcare.com/recoveryprotect or call 1-888-266-9438 Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding major holidays. These costs will be fully borne by Montefiore.
“Montefiore will not tolerate any violation of our patients’ privacy,” said Susan Green-Lorenzen, RN, senior vice president, Operations at Montefiore. “At Montefiore all employees are thoroughly screened for criminal backgrounds, provided extensive training to protect patient privacy, and must adhere to a strict Code of Conduct. The employee who was arrested in connection to this violation egregiously and criminally chose to violate established hospital policies, the trust of our patients and the law. We deeply regret that this crime has occurred and for any burden that this incident may cause. This breach of patient data is unacceptable, and we are working to support the District Attorney’s office.”
This press release is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Montefiore Health System has notified affected members and the Department of Health and Human Services (HHS).