Share this article on:
A former employee of Huntington Hospital in New York has been charged with a criminal HIPAA violation over the unauthorized accessing of 12,925 patient records.
The employee worked the night shift at Huntington Hospital during which time he impermissibly accessed patients’ medical records over 4 months between October 2018 and February 2019. The types of information viewed by the employee included demographic information such as names, dates of birth, telephone numbers, addresses, internal account numbers, medical record numbers, and clinical information including diagnoses, medications, lab test results, treatment information, and healthcare provider names. Huntington Hospital said it found no evidence to suggest Social Security numbers, insurance information, credit card numbers, and other payment-related information were accessed.
When the unauthorized access was discovered, the employee was immediately suspended while a comprehensive investigation was conducted. The investigation concluded on February 25, 2019, the employee was terminated for the HIPAA violation, and law enforcement was notified.
The hospital said all employees are provided with HIPAA training and are made aware of their responsibilities with respect to the protected health information of patients, and that its training program is ongoing. The hospital has security tools in place that monitor for unauthorized access and regular audits of access logs are conducted. The breach has prompted the hospital to improve its access controls and additional, targeted training has been provided to the workforce to reemphasize the importance of ensuring patient confidentiality.
Huntington Hospital recently issued a press release about the unauthorized access and has now sent breach notification letters to all affected individuals. While the HIPAA Breach Notification Rule requires notification letters to be sent to affected patients within 60 days of the discovery of a data breach, notifications can be delayed at the request of law enforcement. In this case, law enforcement requested the hospital delay issuing notifications so as not to impede the investigation. Law enforcement gave the hospital the go-ahead to issue breach notification letters this month.
While Social Security numbers and financial information are not believed to have been accessed, the hospital has offered affected individuals complimentary identity theft protection services for 12 months, or longer if required to do so by state laws.
The law enforcement investigation concluded the unauthorized access warranted criminal charges for the HIPAA violations. According to court documents, the employee, Luis Soriano, worked at three unnamed New York hospitals, first as a patient caretaker, then as a licensed emergency department technician, and in the third hospital as a telemetry technician, and is alleged to have stolen patient data from all three hospitals.
Soriano took part in a scheme between June 2012 and August 2019 that involved accessing and disclosing protected health information to others, in violation of the HIPAA Rules in exchange for payments totaling between $100,000 and $150,000. Soriano has been released on a $50,000 bond and is due to be sentenced on April 5, 2022. Soriano faces up to 10 years in jail for the crimes.
Southwestern Vermont Medical Center Notifies Patients About Insider Data Breach
Southwestern Vermont Medical Center has issued notification letters to certain patients whose medical records were obtained by a former resident physician.
On or around September 16, 2021, the Bennington hospital discovered the former physician had copied portions of certain patients’ medical records and sent them to a personal email account in June 2021 prior to completing their residency. The theft of patient data has been reported to law enforcement and the hospital is assisting with the investigation. At this stage of the investigation, it is unclear why the medical records were copied.
The types of information obtained by the physician varied from patient to patient and may have included one or more of the following types of protected health information: First and last name, date of birth, medical record number, treating provider name, summaries of care, and other limited information that was recorded to provide medical services to patients.
Southwestern Vermont Medical Center said it has not been made aware of any misuse of patient data; however, affected patients are being encouraged to monitor the statements they receive from their healthcare providers and insurers.