Share this article on:
A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization.
Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization.
Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room.
The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information appears to have been listed for sale.
A spokesperson for the hospital issued a statement saying, “We believe this to be a case of snooping, or individuals who were bored.” The hospital does not believe the records were accessed with malicious intent. As a precaution, all affected patients have been offered credit monitoring services without charge.
The employees concerned have been interviewed and disciplined, although for legal reasons, the hospital has not disclosed whether those employees have been terminated for their actions.
The types of information accessed includes demographic information and patients’ medical records. In some instances, it is possible that Social Security numbers were viewed, although financial information was not accessed by any of the employees.
Patients impacted by the breach were notified of the privacy violation last week by mail, according to a report in the Yakima Herald. While it is not clear exactly when in January the privacy violations were discovered, patient breach notifications appear to have been sent outside the 60-day breach notification window of the HIPAA Breach Notification Rule.
In response to the breach, Virginia Mason Memorial has re-educated employees on HIPAA and hospital rules concerning patient privacy and the hospital will now be monitoring access logs more proactively, with “audits going around the clock”.
The incident shows how important it is for healthcare organizations to conduct regular audits of PHI access logs to identify privacy issues before they become a major problem, and the importance of not only providing training on HIPAA Rules and patient privacy, but also regularly reminding employees of the requirements of HIPAA and the penalties for improper PHI access.