Montefiore Medical Center posted a security breach notice Sept. 18 stating that a former employee recently stole about 4,000 patients' personal information.
The health system discovered the incident in July and claims the employee stole approximately 4,000 patients' names, addresses, dates of birth and Social Security numbers between January 2018 and July 2020.
As a result of the incident, the employee was fired and the New York City Police Department launched an investigation. Montefiore said there is no evidence that the patient information has been used for identity theft.
"Montefiore deeply regrets this incident and will not tolerate any violation of patient privacy," the health system said. "In support of all HIPAA guidance and laws, we view this activity to be criminal in nature and are fully cooperating with law enforcement as the case moves forward."
Montefiore prohibits employees from viewing patient medical records without a work-related reason and has technology in place that monitors such activity. However, the health system is expanding its monitoring capabilities and employee training programs to increase privacy safeguards.
Montefiore is providing all affected patients with identity theft protection services, identity recovery services, one year of credit monitoring and a $1 million insurance policy as a result of the incident.