Montefiore Medical Center and Mercy Health Reported Insider Data Breaches

Montefiore Medical Center and Mercy Health have reported insider data breaches in the past few days. In both breaches, an employee accessed patient information even if there was no valid work reason for doing so.

Montefiore Medical Center Former Employee Accessed Patient Data for Billing Scam

Montefiore Medical Center based in New York City has found out that a previous employee got access to patient data and used it for a billing scam. The employee viewed patient names, medical record numbers, and surgery dates and utilized them to produce invoices for unused surgical merchandise, associated with a vendor.

Montefiore Medical Center uncovered the fraud after it already paid the invoices and began an investigation that disclosed the inappropriate access of the former staff. Approximately 4,000 patients’ information had been accessed without authorization from January 2018 to July 2020.

The ex-employee did not access Social Security numbers, medical records, and financial data. The investigation found no evidence that suggests that patients or their insurance providers were scammed. The scam was reported to authorities and the investigation is ongoing.

Montefiore Medical Center mentioned the former worker died during the investigation and the supplier has been restricted from entering all Montefiore campuses.

Montefiore Medical Center has taken steps to avert the same incidents down the road. The paper records involved in the fraud are not used anymore and steps for processing invoices for surgical items are being examined.

Criminal background validations are now done prior to appointment and all workers undergo training on privacy policies and are informed that the medical center does not tolerate personnel who access health records except if there is a valid work-related reason for doing so.

Mercy Health Uncovers Unauthorized Access of PHI by Former Staff

Mercy Health based in Cincinnati, OH started notifying a number of patients regarding the access of some of their protected health information (PHI) by a staff member for reasons not related to providing patient care.

Mercy Health knew about the insider breach on October 7, 2020. The investigation showed the employee had got access to patient records several times when it was not necessary for providing patient care. The rationale for the unauthorized access was not shared with the public.

Patients affected by the breach were advised to monitor their credit reports and billing/accounts reports and to report any suspicious activity. As a safety measure against identity theft and fraud, Mercy Health offered the impacted patients complimentary membership to IDX identity theft protection services for 1 year.

For the majority of affected patients, the data accessed was limited to name, address, demographic details, date of birth, medical record number, clinical details, radiological pictures and/or treatment data. The ex-staff also saw the health insurance ID numbers of some patients.

Since then, Mercy Health improved procedures to avoid the same incidents in the future and the employees were re-educated on compliance with the policies and procedures of Mercy Health.

When this was written, the incident is not yet shown on the HHS’ Office for Civil Rights breach portal therefore the number of impacted patients is still unclear.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at