Former Employee Accessed PHI of Over 1,100 Patients “Out of Curiosity”

Our Lady of the Angels Hospital has announced the discovery of a breach of patient protected health information (PHI).  The breach occurred when a former employee accessed the medical records of 1,140 patients without proper authorization to do so. In accordance with the HIPAA Breach Notification Rules, the affected patients have been informed of the breach.

While still employed at the organisation, the employee had been granted access to the PHI to properly conduct their work duties. However, hospital staff became aware the employee was accessing medical records without any legitimate reason to do so related to the responsibilities of their job.

The breach of PHI was discovered on July 25, 2017, and the employee’s access to the medical record system was immediately terminated. After a brief investigation, the employee’s contract with the organisation was ended due to this malpractice. In response to the incident, Rene Ragas, President and CEO, Our Lady of the Angels Hospital, said, “Patient privacy is a top priority and we have a zero-tolerance policy for employees who improperly access patient data.”

An investigation was launched into the incident to determine which patients had been impacted, which revealed the former employee had been inappropriately accessing the medical records of patients for more than three years.

The Bogalusa, LA hospital was acquired by the Franciscan Missionaries of Our Lady Health System on March 17, 2014, which is the date given for when the improper access first started. A spokesperson for the hospital confirmed to Becker’s Hospital Review that the improper access may have been occurring for up to 15 years, when the hospital was managed by LSU Health under the name LSU Bogalusa Medical Center.

The former employee was questioned about the breach of PHI. Investigators concluded that it appeared unlikely that any patient health information was shared with any other individuals, or was used for personal gain or with malicious intent. As with many other cases in which employees have accessed healthcare records without proper authorisation, this breach appears to be the result of curiosity.

Even though data theft and misuse is not suspected, all patients whose privacy was violated have been offered 12 months of credit monitoring services without charge to help protect them against yet unknown threats.

The types of information accessed by the former employee includes names, addresses, phone numbers, dates of birth, gender, insurance information, social security numbers, diagnoses, dates of services, places of services, and clinical information such as orders, test results, medications, and clinical abstracts.

Our Lady of the Angels Hospital is reviewing policies and procedures and will be revising its audit processes to ensure any future privacy breaches of this nature are identified more rapidly. Additional training is also being provided to employees regarding the privacy and security of PHI, and the importance of HIPAA compliance.