HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Jamaica Hospital Medical Center Employees Charged with HIPAA Breach

Hospitals and other healthcare providers may now be concentrating on protected PHI from hackers; however often the biggest threat to patient privacy comes from within. The latest internal HIPAA breach to be reported occurred at the New York Jamaica Hospital Medical Center. Two employees stand accused of inappropriately accessing and disclosing HIPAA-covered data. They have recently been charged with illegally accessing the hospital’s patient database to obtain confidential information on patients.

Queens District Attorney, Richard A. Brown, recently announced that two former registrars employed at the hospital, Maritza Amador, 44 and Dache Prawl, 45 – both Queens residents – had accessed, viewed and stolen the data of emergency room patients while employed at the hospital.

Social Security numbers, financial information and personal identifiers carry a high price on the black market as they can be used by criminals to obtain medical services and prescriptions, as well as being used to commit identity fraud. However in this case the data was taken for other reasons.

The pair stands accused of stealing patient data to pass to lawyers and “medical mills”, with the legal professionals. In some instances, data was obtained on the patients before they had even left the hospital.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In one case, the hospital’s computer logs show that within two hours of a patient having entered the hospital, Amador used her computer to access the patients’ records, which included details of the treatment he received. The patient received a phone call from a person claiming they were employed at the hospital to confirm that the patient had received follow up treatment, and a subsequent call was received from an attorney asking if the patient required representation in a personal injury claim.

Another case, this time involving Prawl, resulted in a patient receiving a call from an attorney who was trying to solicit them as a client. The call was received before the patient had even exited the emergency room.

Charges Filed for the Inappropriate Accessing of Medical Records

The charges being filed against the employees include unauthorized use of a computer, computer trespass and second-degree unlawful possession of personal identification information. Both face a jail term of up to 4 years if found guilty.

After an investigation into the unlawful access and disclosure of PHI it was determined that Amador and Prawl accessed over 250 records each which included medical information such as details of their injuries as well as Social Security numbers, names, addresses and telephone numbers. It is not clear what information was disclosed to lawyers after the data was obtained.

Healthcare Providers can Be Fined for Employee Snooping

Healthcare providers can be held liable for the inappropriate accessing and disclosure of patient records by employees, although it is not clear at this stage whether any action will be taken against the hospital for the HIPAA violations.

It may not be possible to eliminate the risk of employees snooping on PHI, but healthcare providers can limit the risk by providing training to staff and informing it of the repercussions of stealing patient health information. What is particularly concerning in this case is not the theft of data, but how long the pair was able to continue with their snooping before they were caught by the hospital. The offenses are reported to have taken place over a period of two years, between Feb 10, 2012 and March 12, 2014.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.