HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access

Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019.

The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated.

The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information.

The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to suspect that any patient information has been stolen, further disclosed, or misused.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Patients affected by the breach were notified by mail on December 26, 2019. As a precaution against misuse of their personal and health information, affected patients have been advised to monitor the statements they receive from their healthcare provider. A spokesperson for the hospital said, “Lurie Children’s deeply regrets that this incident occurred,” and confirmed that steps have been taken to prevent any further incidents of this nature from occurring in the future, including providing further training for employees on the hospital’s policies regarding unauthorized accessing of patient records.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.