Share this article on:
Health Access Network has notified “less than 500” patients of its Lincoln Medical Center that their protected health information was improperly accessed by an employee.
On August 18, Health Access discovered the employee had accessed patient health records without any legitimate reason for doing so. After proof of improper access was obtained, the employee was interviewed but she did not give hospital officials any reason as to why she had viewed patient records.
The woman had been provided with access to files in order to complete her work duties. Health Access Network did not disclose the exact nature of the data accessed by the employee, although the woman was authorized to view patient names, financial information, and Social Security numbers. A review of data access logs revealed no information had been downloaded by the woman, although it was not possible to tell if any patient information had been manually copied.
An investigation of the employee’s computer activities was launched to determine the extent of the privacy breach. The investigation revealed employee records had been improperly accessed over a period of two months between June and August 2016. Each medical record accessed by the employee had to be checked to determine whether there was any legitimate reason for the record being accessed. That process took some time to complete, which delayed the issuing of breach notification letters to patients. However, notifications were sent inside the 60-day HIPAA Breach Notification Rule deadline.
The employee was terminated for violating HIPAA Rules and hospital policies and patients have now been notified of the breach by mail. Since there is a risk that their data were used inappropriately, all affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Health Access Network Chief Executive Officer Bill Diggins said this is the first incident of this nature that the organization has had to deal with. To prevent future incidents, Health Access officials will be conducting regular audits of data access logs of all new employees “until they establish that they understand their obligations.”