Former Huntington Hospital Employee Charged with Criminal HIPAA Violation

Former Huntington Hospital Employee Charged with Criminal HIPAA Violation
Home»HIPAA Breach News»Former Huntington Hospital Employee Charged with Criminal HIPAA Violation
Posted By HIPAA Journal on Nov 25, 2021

Report a HIPAA Violation Anonymously
Share this article on:

Facebook
Twitter
LinkedIn
A former employee of Huntington Hospital in New York has been charged with a criminal HIPAA violation over the unauthorized accessing of 13,000 patient records.

The employee worked the night shift at the hospital impermissibly accessed the medical records of patients between October 2018 and February 2019. The types of information viewed by the employee included demographic information such as names, dates of birth, telephone numbers, addresses, internal account numbers, medical record numbers, and clinical information including diagnoses, medications, lab test results, treatment information, and healthcare provider names. Huntington Hospital said it found no evidence to suggest Social Security numbers, insurance information, credit card numbers, and other payment-related information were accessed.

When the unauthorized access was discovered, the employee was immediately suspended while a comprehensive investigation was conducted. The investigation concluded on February 25, 2019, the employee was terminated for the HIPAA violation, and law enforcement was notified.

The hospital said all employees are provided with HIPAA training and are made aware of their responsibilities with respect to the protected health information of patients, and that its training program is ongoing. The hospital has security tools in place that monitor for unauthorized access and regular audits of access logs are conducted. The breach has prompted the hospital to improve its access controls and additional, targeted training has been provided to the workforce to reemphasize the importance of ensuring patient confidentiality.

Huntington Hospital recently issued a press release about the unauthorized access and has now sent breach notification letters to all affected individuals. While the HIPAA Breach Notification Rule requires notification letters to be sent to affected patients within 60 days of the discovery of a data breach, notifications can be delayed at the request of law enforcement. In this case, law enforcement requested the hospital delay issuing notifications so as not to impede the investigation. Law enforcement gave the hospital the go-ahead to issue breach notification letters this month.

While Social Security numbers and financial information are not believed to have been accessed, the hospital has offered affected individuals complimentary identity theft protection services for 12 months, or longer if required to do so by state laws.

The law enforcement investigation concluded the unauthorized access warranted criminal charges for the HIPAA violation.

Southwestern Vermont Medical Center Notifies Patients About Insider Data Breach
Southwestern Vermont Medical Center has issued notification letters to certain patients whose medical records were obtained by a former resident physician.

On or around September 16, 2021, the Bennington hospital discovered the former physician had copied portions of certain patients’ medical records and sent them to a personal email account in June 2021 prior to completing their residency. The theft of patient data has been reported to law enforcement and the hospital is assisting with the investigation. At this stage of the investigation it is unclear why the medical records were copied.

The types of information obtained by the physician varied from patient to patient and may have included one or more of the following types of protected health information: First and last name, date of birth, medical record number, treating provider name, summaries of care, and other limited information that was recorded to provide medical services to patients.

Southwestern Vermont Medical Center said it has not been made aware of any misuse of patient data; however, affected patients are being encouraged to monitor the statements they receive from their healthcare providers and insurers.