HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years.

The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so.

Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment.

The types of information in the records included patients’ names, ages, room numbers, chief medical complaint and the acuity of their illness. Social Security numbers, health insurance information and financial account information were also potentially viewed by the employee.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The incident has prompted Beacon Health System to introduce new procedures to reduce the likelihood of further privacy breaches of this nature from occurring. A review of the Beacon Health training curriculum is also taking place and training programs will be updated accordingly.

While the breach notice does not explicitly state that the employee was terminated as a direct result of this incident, Beacon Health System said the individual is no longer employed.

Even though further disclosures of patients’ ePHI are not believed to have occurred, the sensitive nature of the ePHI that was accessed by the employee prompted Beacon Health to offer all affected patients 12 months of identity theft and identity restoration services without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.