Share this article on:
A former employee of the emergency department of Brooklyn’s Kings County Hospital is alleged to have stolen the protected health information of at least 100 individuals while working at the hospital and disclosed that information to another individual using an encrypted smartphone app.
Orlando Jemmott, 52, was employed at the hospital for 12 years between March 2006 and April 2018 and was given access to patient health records in order to complete his work duties. Jemmott was required to enter patient information into the hospital’s system such as demographic data and information on patients’ symptoms and health complaints.
In June 2017, the FBI received a tip that Jemmott was stealing patient information and selling the data to another individual. The woman claimed the information was being sent via the WhatsApp encrypted messaging app. The woman took Jemmott’s mobile phone from his house and handed it over to the FBI along with a photo from his WhatsApp profile. A warrant was then obtained by the FBI to search the phone. The search revealed hundreds of communications between Jemmott and an individual in Pennsylvania who was subsequently identified as Ron Pruitt.
Those communications included more than 180 combinations of patient names and phone numbers, which were sent by Jemmott to Pruitt between December 2014 and April 2015. According to court documents, the identities of at least 100 individuals have been confirmed. The hospital has confirmed that 98 of those individuals were patients at the hospital at the time of the disclosure. The hospital also confirmed that in 88 of the 98 cases, the records of patients had been accessed without authorization.
The tipster also provided paper copies of health information to the FBI which had been printed out between December 2016 and June 2017. The printouts contained the protected health information of 49 individuals, which the hospital confirmed was obtained from its electronic health record system.
Jemmott was arrested in February 2018, was fired by the hospital in April, and has been released on an $80,000 bond. Pruitt was arrested by the FBI in early September. Both are attempting to negotiate plea deals. It is currently unclear what the disclosed protected health information was used for.
It is a requirement of HIPAA to record and maintain PHI access logs and to review those logs regularly for signs of unauthorized access. It may not be possible to prevent unauthorized accessing of PHI by healthcare employees, but it is possible to detect breaches promptly and limit the harm caused. There have been many cases of insider breaches continuing for years before the breach was detected, during which time the records of thousands of patients were accessed.