It has been discovered by the University Hospital Newark (NY) that the PHI of thousands of patients has been stolen by a former member of staff who accessed the private data for more than 12 months with official permission.
After obtaining the information illegally it was then shared with other people who did not have permissions to access it. Breaches like this that involve internal members of staff are fairly common. However, this one is slightly different in the manner of the offence that took place, according to the substitute breach notice, on the University Hospital Newark databases at some point between January 1, 2016, and December 31, 2017.
The former employee had been granted temporary access to patient data in order to carry out work duties. However, they exceeded the authorized use of that access and accessed patient data that was not related to their duties. The range of data accessed and obtained by the individual incorporated names, addresses, dates of birth, Social Security data, health insurance details, medical record numbers, and clinical data linked to care patients administered at University Hospital. Representatives of the University Hospital said the matter has been made known to law enforcement agencies and a criminal review into the unauthorized access and disclosure remains current.
Additionally, University Hospital confirmed that it began contacting affected individuals on October 11 2021 in relation to the matter and has given them the option of availing of free identity theft and credit monitoring services for a period of one year. University Hospital has taken measures to mitigate the danger of additional data breaches of this nature, including a review of internal policies and procedures and further training for the staff on patient privacy. The breach has been made known to the Department of Health and Human Services’ Office for Civil Rights as impacting 9,329 patients.
Staff members regularly access and share PHI to identity thieves, although the range of the data involved on this occasion indicates that may not be the case. University Hospital has not shared the reason for the access or how the breach was initially identified, only that the former employee viewed the PHI of patients who attended the emergency department and received treatment for injuries suffered in a motor vehicle accident between 2016 and 2017.