Share this article on:
Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019.
The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated.
The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information.
The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to suspect that any patient information has been stolen, further disclosed, or misused.
Patients affected by the breach were notified by mail on December 26, 2019. As a precaution against misuse of their personal and health information, affected patients have been advised to monitor the statements they receive from their healthcare provider. A spokesperson for the hospital said, “Lurie Children’s deeply regrets that this incident occurred,” and confirmed that steps have been taken to prevent any further incidents of this nature from occurring in the future, including providing further training for employees on the hospital’s policies regarding unauthorized accessing of patient records.
The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.