Henry Mayo Newhall Hospital Fires Employees for Snooping on Medical Records

Henry Mayo Newhall Hospital in Santa Clarita, CA has fired several employees for snooping on the medical records of the Saugus High School shooter.

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, hospital staff are only permitted to access the medical records of patients with whom they have a treatment relationship of if there is an otherwise legitimate business relationship for accessing the records.

The HIPAA Security Rule requires HIPAA-covered entities to implement mechanisms to record activity in information systems containing patient’s electronic protected health information and regularly review records of system activity to identify unauthorized access. A sanctions policy is also required, which must be applied when members of the workforce violate patient privacy.

On November 14, 2009, a student of Saugus High School shot five students, killing two before turning the pistol on himself. The shooter was taken to Henry Mayo Newhall Hospital where he died the following day.

An analysis of system activity logs revealed several employees at the hospital had viewed the medical records of the shooter. The hospital investigated the potential HIPAA violations and discovered that in several cases, employees had viewed the records without any legitimate business purpose for doing so.

Henry Mayo Newhall Hospital’s director of marketing, public relations, and community engagement, Patrick Moody, told the Santa Clarita Gazette, “All employees receive extensive annual training on state and federal privacy regulations. The training includes detailed descriptions of the potential consequences of violating any of these regulations. All suspected breaches of our HIPAA policies are thoroughly investigated with appropriate consequences, including termination, implemented for confirmed violations upon conclusion of a review.” The Santa Clarita Gazette reports that an unnamed source said 13 employees were fired.

Ozark Orthopaedics Discovers Breach of 4 Email Accounts

Ozark Orthopaedics in Fayetteville, AR has started notifying 15,240 patients about a recent data security incident involving their protected health information.

Unusual activity was detected in employee email accounts on October 8, 2019. Steps were immediately taken to secure the email system and an investigation was launched to determine the whether any patient information had been compromised. On November 18, 2019, Ozark Orthopaedics learned that four email accounts had been accessed by an unauthorized individual. On December 20, 2019, Ozark discovered the email accounts contained protected health information including patient names, diagnoses, treatment information, prescription or medication information, health insurance information, Medicare/Medicaid ID numbers, Social Security numbers, and financial account information.

No evidence was found to indicate patient information was accessed or stolen and no reports have been received to suggest any patient information has been misused. Patients were notified on February 28, 2020. Ozark Orthopaedics has since taken steps to improve email security to prevent further breaches in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.