25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Insider Breaches Identified by Three Healthcare Providers

Posted By on Aug 20, 2025

Three insider incidents have recently been identified by healthcare providers in Florida, Massachusetts, and Indiana, including one privacy breach that has been ongoing for more than two and a half years.

University of Miami Health System

University of Miami Health System (UMHS) is notifying almost 3,000 patients about an insider data breach that has been ongoing for more than two and a half years. In June 2025, UMHS discovered that an employee had been accessing the medical records of patients when there was no legitimate business or clinical reason for doing so.

The review of access logs showed the unauthorized access started in September 2022 and continued until May 2025. Under HIPAA, medical records may only be accessed by employees for reasons related to treatment, payment for healthcare, and healthcare operations. If unauthorized medical record access is identified, individuals face sanctions, which in this case was termination of employment. UMHS is also collaborating with law enforcement over the incident.

The former employee did not have the necessary access rights to view financial information or Social Security numbers, but was able to view patient information such as names, dates of birth, medical record numbers, provider names, diagnosis/condition information, insurance information, and vaccination status. In total, the medical records of 2,928 patients were accessed over the space of more than two and a half years.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The affected individuals are being notified by Kroll and are being offered complimentary credit monitoring and identity theft protection services. UMHS is also enhancing its security measures and practices to better safeguard patient data.

Berkshire Health Systems

Berkshire Health Systems (BHS) in Massachusetts has discovered that an employee has been accessing patients’ medical records without authorization. An investigation was launched after BHS received a report about an employee potentially accessing patients’ medical records without a legitimate work reason for doing so. The privacy team immediately launched an investigation, which involved a review of access logs.

The access logs confirmed there had been unauthorized access to patient records, but no evidence was found to indicate any of the information in those records was downloaded, printed, or copied. BHS believes the employee was acting independently, with no other individuals involved. The employee was interviewed and denied disclosing any patient information to other individuals and was terminated for the HIPAA violation.

BHS said it has optimized its privacy monitoring software to help prevent further incidents of this nature in the future, and wrote to the affected patients on August 12, 2025, informing them about the privacy breach. The former employee only had limited access to patient data and could not view highly sensitive information such as financial information, health insurance information, or Social Security numbers. Information potentially viewed includes patient names, dates of birth, medical record numbers, diagnoses, and visit notes. BHS has not publicly disclosed how many individuals were affected, and the incident is not currently shown on the HHS’ Office for Civil Rights breach portal.

Life in Motion Family Wellness Center

Life in Motion Family Wellness Center in Evansville, Indiana, has discovered that patient data has been provided to a local physician and used to try to solicit business. The data breach occurred on July 22, 2025, and involved an individual who had previously rented office space in the center. That individual obtained a list of patient names, addresses, telephone numbers, and dates of birth, which she provided to the physician for marketing purposes.

The HHS’ Office for Civil Rights has been notified, law enforcement has been informed, and individual notification letters have been sent to the affected patients. Steps have also been taken to prevent similar incidents in the future, including reviewing system access and adding new layers of protection. The HHS’ Office for Civil Rights breach portal indicates 3,747 individuals were affected.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist