Share this article on:
Hospitals and other healthcare providers may now be concentrating on protected PHI from hackers; however often the biggest threat to patient privacy comes from within. The latest internal HIPAA breach to be reported occurred at the New York Jamaica Hospital Medical Center. Two employees stand accused of inappropriately accessing and disclosing HIPAA-covered data. They have recently been charged with illegally accessing the hospital’s patient database to obtain confidential information on patients.
Queens District Attorney, Richard A. Brown, recently announced that two former registrars employed at the hospital, Maritza Amador, 44 and Dache Prawl, 45 – both Queens residents – had accessed, viewed and stolen the data of emergency room patients while employed at the hospital.
Social Security numbers, financial information and personal identifiers carry a high price on the black market as they can be used by criminals to obtain medical services and prescriptions, as well as being used to commit identity fraud. However in this case the data was taken for other reasons.
The pair stands accused of stealing patient data to pass to lawyers and “medical mills”, with the legal professionals. In some instances, data was obtained on the patients before they had even left the hospital.
In one case, the hospital’s computer logs show that within two hours of a patient having entered the hospital, Amador used her computer to access the patients’ records, which included details of the treatment he received. The patient received a phone call from a person claiming they were employed at the hospital to confirm that the patient had received follow up treatment, and a subsequent call was received from an attorney asking if the patient required representation in a personal injury claim.
Another case, this time involving Prawl, resulted in a patient receiving a call from an attorney who was trying to solicit them as a client. The call was received before the patient had even exited the emergency room.
Charges Filed for the Inappropriate Accessing of Medical Records
The charges being filed against the employees include unauthorized use of a computer, computer trespass and second-degree unlawful possession of personal identification information. Both face a jail term of up to 4 years if found guilty.
After an investigation into the unlawful access and disclosure of PHI it was determined that Amador and Prawl accessed over 250 records each which included medical information such as details of their injuries as well as Social Security numbers, names, addresses and telephone numbers. It is not clear what information was disclosed to lawyers after the data was obtained.
Healthcare Providers can Be Fined for Employee Snooping
Healthcare providers can be held liable for the inappropriate accessing and disclosure of patient records by employees, although it is not clear at this stage whether any action will be taken against the hospital for the HIPAA violations.
It may not be possible to eliminate the risk of employees snooping on PHI, but healthcare providers can limit the risk by providing training to staff and informing it of the repercussions of stealing patient health information. What is particularly concerning in this case is not the theft of data, but how long the pair was able to continue with their snooping before they were caught by the hospital. The offenses are reported to have taken place over a period of two years, between Feb 10, 2012 and March 12, 2014.