Hawaii Pacific Health noticed the unauthorized access on January 17, 2020 and began a review. An analysis of access logs revealed the employee first began viewing patient records in November 2014 and went on doing so undetected until January 2020. During that time, the employee viewed the medical records of 3,772 patients. After finishing the investigation, the employee was fired.
Impacted patients had attended appointments at Straub Medical Center, Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, or Wilcox Medical Center. The range of information that the employee could have viewed included patients’ first and last names, telephone numbers, addresses, email addresses, dates of birth, race/ethnicity, religion, medical record information, primary care provider information, dates of service, appointment types and related remarks, hospital account numbers, department name, supplier names, guarantor names and account numbers, health plan names, and Social Security details.
The reason for viewing the records was not discovered, but Hawaii Pacific Health believes it was out of curiosity rather than to obtain sensitive information for malicious reasons. However, data theft could not be ruled eliminated. All patients whose records were viewed by the employee were alerted via mail on March 17, 2020 and were offered one year of free credit monitoring and identity restoration services.
Hawaii Pacific Health is assessing and updating its internal processes and will be conducting additional training on patient privacy. The health system is also looking into new technologies that can be implemented to identify unauthorized medical record access and anomalous employee behavior access more swiftly