Montefiore flash drive containing patient information stolen in 6th data breach in 2 years

hand holding usb storage device with laptop
Montefiore Medical Center announced its latest data breach on Friday, Sept. 23 — the sixth breach in the last two years.
Photo courtesy Getty

A Montefiore Medical Center research coordinator’s USB storage device was stolen, exposing personal information about more than 1,300 patients in the medical center’s second data breach this year and sixth since September 2020, impacting the privacy of 12,451 patients.

The five incidents preceding this one all involved now-fired employees illegally accessing personal information about patients. And while this latest incident was described as a theft, the research coordinator whose device was stolen has been suspended for not following Montefiore’s policies, according to the private non-profit hospital.

A notice put out by Montefiore on Friday, as required by the Health Insurance Portability and Accountability Act (HIPAA), described the storage device as containing demographic and clinical information for “some Montefiore patients.” But upon request by the Bronx Times, Montefiore spokesperson Tracy Gurrisi, the assistant vice president of strategic communications and media relations, said there were 1,332 patients impacted. Not all were Bronx residents.

The medical center learned about the incident in July and investigated it from July 18 to Aug. 25, according to the notice.

Patient information stored on the device, according to Montefiore, not only “may have” included demographic data like first and last names, medical record numbers, email addresses and dates of birth, but also clinical information, like treatment location, provider names, dates of service, reasons for visits, an indication of previous diagnoses, medications, test results and other treatment information.

There is no evidence that there were Social Security numbers, credit card numbers or other payment information leaked. Montefiore contacted patients impacted by the breach and is offering them identity theft protection services for a year, according to the medical center.

Gurrisi declined to say which Montefiore site the theft occurred at, as well as the name of the research coordinator, duration of their suspension and what policies the coordinator broke.

The Montefiore notice stated that the theft was immediately reported to local law enforcement and that the medical center does not have evidence that information from the device has been misused. Gurrisi did not answer whether there is a known suspect or motive.

The Bronx Times reached out to the NYPD for more information, but a department spokesperson said that in order to respond to the inquiry, the agency needs details that Montefiore would not provide to the Bronx Times.

Following the recent incident, Montefiore will have more intensive training for employees about their privacy obligations and will revisit its procedures for storing patient information on portable devices, as well as improve security tools to monitor such information, according to the medical center.

But it’s not the first time Montefiore has had an issue with keeping patient information confidential stemming from employee misbehavior, with a pattern of breaches over the last two years.

A now-former employee allegedly stole 4,000 patient names, addresses, dates of birth and Social Security numbers between January 2018 and July 2020, according to a September 2020 notice.

Just a few months later, Montefiore reported a data breach from documents in December 2020, which impacted 672 individuals, as confirmed by Gurrisi. Three breaches followed involving electronic medical records, in January 2021 impacting 1,787 people, in April 2021 affecting 943 people and in April of this year violating the privacy of 3,717 people, according to information reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

And all five of these incidents involved an employee inappropriately accessing patients’ information, violating their privacy rights. All were fired, and one died while the investigation was underway, according to required notices from the medical center.

The breach disclosed in September 2020 was not included in OCR’s publicly posted data breach records and upon request from the Bronx Times as to why, Rachel Seeger, a senior communications advisor for OCR said the department generally does not comment on open or potential investigations. The incident was properly reported, according to Gurrisi.

Montefiore has campuses in the Norwood, Pelham Parkway, Wakefield and Westchester Square sections of the Bronx, as well as in Westchester, Rockland and Orange counties.

Reach Aliya Schneider at [email protected] or (718) 260-4597. For more coverage, follow us on Twitter, Facebook and Instagram @bronxtimes