25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

Posted By on May 30, 2017

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years.

The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so.

Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment.

The types of information in the records included patients’ names, ages, room numbers, chief medical complaint and the acuity of their illness. Social Security numbers, health insurance information and financial account information were also potentially viewed by the employee.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident has prompted Beacon Health System to introduce new procedures to reduce the likelihood of further privacy breaches of this nature from occurring. A review of the Beacon Health training curriculum is also taking place and training programs will be updated accordingly.

While the breach notice does not explicitly state the employee was terminated as a direct result of this incident, Beacon Health System said the individual is no longer employed.

Even though further disclosures of patients’ ePHI are not believed to have occurred, the sensitive nature of the ePHI that was accessed by the employee prompted Beacon Health to offer all affected patients 12 months of identity theft and identity restoration services without charge.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist