Dedicated to providing the latest
HIPAA compliance news

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

Share this article on:

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017.

On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this was far from a one-off incident. The improper access dated back to October 8, 2014. During that time, the caregiver was found to have accessed 2,459 patient files with no legitimate work reason for doing so.

When confronted about the improper access the female employee said she had accessed the records out of curiosity with no malicious intent. The health system said it took ‘swift and appropriate action’ and the employee was disciplined, although it is unclear what the disciplinary action involved and whether the employee was terminated as a result of her actions.

The health system does not consider the employee’s actions were criminal in nature, and a signed affidavit was obtained in which the employee stated she had not used or shared any information with others with the purpose of committing fraud, financial crimes or any other crimes against the patients concerned.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights and state regulators. Affected patients are being notified of the privacy breach by mail. All individuals affected by the breach have been offered credit monitoring and identity theft restoration services for 12 months as a precaution.

The information accessed by the employee included names, addresses, dates of birth, driver’s license numbers, health insurance information, diagnoses, medications prescribed, treatment information, and physician’s names.

A statement about the incident was issued by Nicole Hough, vice president of compliance at St. Charles Health System, saying “We want our patients and their families and the community to really understand how sorry we are for this situation and understand we took swift action and we are taking action to ensure this doesn’t happen again.”

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On