Hawaii Pacific Health Discovers 5-Year Insider Data Breach

Hawaii Pacific Health has discovered an employee of Straub Medical Center in Honolulu has been snooping on the medical records of patients over a period of more than 5 years.

Hawaii Pacific Health discovered the unauthorized access on January 17, 2020 and launched an investigation. An analysis of access logs revealed the employee first started viewing patient records in November 2014 and continued to do so undetected until January 2020. During that time, the employee viewed the medical records of 3,772 patients. After concluding the investigation, the employee was terminated.

Affected patients had received treatment at Straub Medical Center, Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, or Wilcox Medical Center. The types of information that the employee could have viewed included patients’ first and last names, telephone numbers, addresses, email addresses, dates of birth, race/ethnicity, religion, medical record numbers, primary care provider information, dates of service, appointment types and related notes, hospital account numbers, department name, provider names, guarantor names and account numbers, health plan names, and Social Security numbers.

The reason for accessing the records was not determined, but Hawaii Pacific Health believes it was out of curiosity rather than to obtain sensitive information for malicious purposes. However, data theft could not be ruled out. All patients whose records were accessed by the employee were notified by mail on March 17, 2020 and were offered one year of free credit monitoring and identity restoration services.

Hawaii Pacific Health is reviewing and updating its internal procedures and will be providing further training on patient privacy. The health system is also investigating new technologies that can be implemented to identify unauthorized medical record access and anomalous employee behavior access more rapidly.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.