An individual, a former healthcare worker at New York’s Huntington Hospital, who illegally accessed the PHI in 13,000 patient records is facing a potential criminal conviction.
The person in question was employed to work on the late night shift at the Huntington Hospital when the breach occurred. At different points in time from October 2018 to February 2019 the individual accessed the medical records of patients despite not having that appropriate access and permissions to do so. The range of data that the individual accessed included demographic information such as:
- Names
- Birth dates
- Telephone contact details
- Address information
- Internal account credentials
- Medical history information
- Clinical detail such as diagnoses, medications, lab test results, treatment information, and healthcare provider names.
Representatives for the hospital have confirmed that there has been no proof identified that suggests Social Security data, insurance details, credit card information, and other payment-linked information were viewed.
When the HIPAA breach was initially identified the healthcare worker was quickly suspended from their position and an official removed was launched to determine the extent of the breach. Following the conclusion of the breach, on February 25, 2019, the healthcare worker was fired and the relevant law enforcement agencies were made aware of the HIPAA breach.
Huntington Hospital has revealed that they conduct ongoing HIPAA refresher training for all employees in order to ensure that they are conscious of their legal responsibilities when it comes to handling the protected health information of patients. In addition to this there are security tools configured to identify unauthorized access and regular audits of access logs are carried out. Due to the breach the hospital has added enhancements to its access controls and initiated targeted training sessions to ensure that staff members are aware of the importance of ensuring patient confidentiality.
A press release has been released in relation to the unauthorized access and the group has begun sending out breach notification letters to anyone who may have been impacted in the breach. Despite the fact that the HIPAA Breach Notification Rule states that notification letters must be issued to anyone that may have been impacted in the HIPAA breach within 60 days of the data breach being identified. However, for breaches like this the issuing of breach alerts can be delayed if law enforcement agencies request so. This request was in place on this occasion as law enforcement agencies were conscious of not impeding the investigation into the breach. Permission to share the breach notification letters was provided, by the law enforcement agency in question, this month.
The hospital has provided impacted individuals free identity theft protection services for one year, or longer if required to do so by state legislation, despite the fact that Social Security numbers and financial information are not thought to have been accessed at any point in time.
Following the conclusion of the law enforcement investigation it was revealed that the unauthorized access warranted criminal charges for the HIPAA breach.