Share this article on:
A Berkeley Medical Center employee has been discovered to have inappropriately accessed the electronic protected health information of more than 7,400 patients over a period of 10 months.
WVU Medicine University Healthcare discovered the inappropriate accessing of ePHI by an employee of the Berkeley Medical Center on January 17, 2017 after being alerted to potential data theft by law enforcement. A joint investigation into the employee had been conducted by the FBI and the Berkeley County Sheriff’s Department.
As soon as WVU Medicine University Healthcare became aware of the incident, an internal investigation was launched. Two days later, the employee was suspended pending the outcome of the investigation. Information provided to the healthcare provider from law enforcement linked the employee with 113 former patients who had suffered identity theft.
The healthcare worker had been employed by WVU Medicine University Healthcare since March 2004 and was required to schedule appointments for patients at both the Berkeley Medical Center in Martinsburg, WV and Jefferson Medical Center in Ranson, WV. The investigation revealed that the inappropriate accessing of medical records first occurred on March 1, 2016. Inappropriate access continued until the notification was received by law enforcement.
No evidence was uncovered to suggest that the employee copied ePHI onto a portable device, although Teresa McCabe, vice president of marketing and development, said the employee manually copied data from computer screens and removed that information from the premises. A link between 113 patients and the employee was found, although in total, 7,445 breach notification letters were sent to patients informing them of unauthorized ePHI access.
After the investigation confirmed that hospital and HIPAA Rules had been violated, WVU Medicine University Healthcare terminated the employee. A criminal investigation is ongoing and the woman is being prosecuted.
The female employee was found to be in possession of driver’s licenses with photos and insurance and Social Security cards, suggesting the stolen information had already been used for identity theft. It is unclear whether those identification documents have been used to fraudulently obtain credit or medical services.
All individuals impacted by the incident have been offered credit monitoring and identity theft protection services for a period of one year via Kroll. Patients have been encouraged to check their accounts, credit histories, and EoB statements and to alert their financial organizations to the possibility of fraudulent use of their information.
HIPAA Requires Regular Reviews of ePHI Access Logs
Inappropriate accessing of patients’ medical records by healthcare employees occurs frequently, although this incident stands out due to the number of patients potentially impacted and how long it took for the HIPAA violation to be discovered – almost 10 months.
According to a statement released by WVU Medicine University Healthcare, “Because the former employee had access to this information as part of her employment as an authorization/prescheduling coordinator, her criminal conduct could not be detected as part of University Healthcare’s routine IT/privacy security checks.”
The HIPAA Security Rule (Security Management Process) requires healthcare originations to maintain ePHI access logs and to regularly check those logs for signs of inappropriate access. An Information System Activity Review should be conducted regularly. Audit logs, access reports and security incident tracking reports should be reviewed – § 164.308(a)(1)(ii)(D).
When healthcare employees are found to have accessed information without a legitimate work reason for doing so, it sends a message to other employees that their actions are being carefully monitored. This helps to establish a culture of responsibility and accountability. Prompt identification of inappropriate ePHI access will also ensure that patients can be notified in time to prevent their stolen information from being used to steal identities and commit medical fraud.