HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Kaiser Permanente Discovers 8-Year Employee HIPAA Breach

The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years.

The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020.

The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020 by Kaiser Foundation Health Plan of the Mid-Atlantic States. The breach report shows that over an 8-year period the imaging technician impermissibly accessed the records of 2,756 patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All affected individuals are now being notified about the privacy breach by mail.

Ridgeview Institute – Monroe Employee Terminated Over Unauthorized PHI Access and Impermissible Disclosure

Ridgeview Institute – Monroe in Georgia, a provider of mental health and addiction treatment services, has discovered a former employee accessed the records of certain patients without authorization and sent copies of patient information to a personal email account.

The privacy breach was discovered on January 14, 2020, prompting an internal investigation to determine the nature and scope of the breach. It took some time to determine exactly what information had been copied and which patients were affected, hence the delay in notifying affected individuals.

The information in the stolen documents was determined to include patients’ full names, birth dates, Social Security numbers, patient ID numbers, health insurance provider names, diagnoses, treatment information, prescriptions, medical procedures, lab test and other test results.

The employee admitted accessing and copying patient information without authorization and said the data had been subsequently disclosed to her attorney and one other individual.

No reason was provided as to why the information was copied and impermissibly disclosed. According to the Ridgeview Institute, assurances have been obtained from the unauthorized individual to whom the information was disclosed that the documents will not be shared with another parties and the employee, who no longer works at Ridgeview, has confirmed that all other copies of the documents have been destroyed.

All affected patients are in the process of being notified and complimentary identity theft protection services are being offered.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.