HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Deaconess Health System and Blue Earth County Notify Patients About Insider Data Breaches

Indiana-based Deaconess Health System and Blue Earth County in Minnesota have notified individuals that sensitive personal information has been accessed by employees without authorization.

Deaconess Health System Notifies Female Patients About Unauthorized Medical Record Access by Physician

A physician formerly employed by Deaconess Health System in Evansville, IN, has been discovered to have accessed the medical records of female patients without authorization.

On January 26, 2022, the unauthorized medical record access was discovered by Deaconess Health System during a routine audit of access logs. According to the law firm Ladendorf Law of Indianapolis, which spoke with six women who were notified about the privacy breach by Deaconess Health System, the unauthorized first occurred no later than June 2020.

According to attorney Taylor Ivy, all six of the women said the first contact occurred in bars in the West Side of the city. The physician had approached them and started talking to them and obtained information about them during the encounter. It appears that the physician looked up the women in the medical record system after the initial encounter.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The law firm said one woman was notified by Deaconess Health System that her medical records had been accessed by the physician on eight occasions between June 2020 and December 2021 for non-work-related reasons. The records contained personal information, contact information, and her medical history. Deaconess Health System apologized for the breach and offered the woman complimentary online identity theft protection for 12 months. One of the women said the physician turned up at her place of work and gave her a written note.

Deaconess Health System said that when the breach was discovered, the physician was permanently terminated. The incident has not appeared on the HHS’ breach portal at this stage. Since the breach notification letter posted on Facebook by the law firm was dated February 23, 2022, that suggests the unauthorized access involved fewer than 500 records. The law firm has requested any person who has been notified about the breach make contact with them, as claims may be pursued.

Insider Breach at Blue Earth County Human Services Department

An employee of the Blue Earth County Human Services Department was discovered to have accessed the private information of individuals without authorization between June 5, 2020, and May 24, 2021. When the unauthorized access was discovered, the individual was placed on administrative leave pending the outcome of the investigation. The review of access logs confirmed the employee had accessed the personal information of 222 individuals without authorization. The database that was accessed included individuals’ names, addresses, medical histories, and Social Security numbers. After the investigation concluded, the employee resigned from their position.

Officials at Blue Earth County said no evidence was found to indicate any information was copied from its systems or sold to third parties, and this appears to have been a case of the employee snooping on records.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.