Impermissible Access of 1,216 Patient Records by Former Upstate University Hospital Employee


Upstate University Hospital located in Syracuse, NY notified 1,216 of its patients regarding the impermissible access of a former personnel to some of their protected health information (PHI). The hospital became aware of the breach on September 12, 2018. Immediately, the breach was investigated to find out which patients were affected by the privacy violation. The investigation results showed that the old employee initially accessed the medical records of patients without any authorization on November 3, 2016 and continued to do so until October 23, 2017.

The investigation didn’t find any proof that indicate the former employee printed, duplicated or forwarded any information beyond the organization. There’s no clear reason uncovered by the investigators as to why the past employee accessed the patient records. Hence, there is no information announced to the public regarding the motives behind the incident.

There was no compromise of highly sensitive data, for instance Social Security numbers, financial data, health insurance details and other information. So, this is not a typical incident engaged in by identity thieves. .

The breached information was limited to the patients’ names, addresses, ages, medical record numbers, types of services obtained, service dates, diagnoses, treatment details, and prescription medications.

Because of the incident, all hospital personnel with access to PHI received detailed training about the preservation of the confidentiality and security of patient data. They were also made aware of their accountabilities regarding HIPAA.

The privacy breach caused Upstate University Hospital to review and strengthen its safety measures for keeping patient health data private and confidential.