Long Island Jewish Forest Hills Hospital Notifies Patients About Insider Breach

Long Island Jewish Forest Hills Hospital (LIJFH) has started notifying 10,333 patients about an insider data breach involving their medical records.

LIJFH explained in its breach notification letters that an unauthorized medical record access incident came to light around January 24, 2020. LIJFH had been issued with a subpoena for documents in connection with a law enforcement investigation into a “No Fault” motor vehicle accident insurance scheme that referenced an LIJFH employee.

A review was conducted of access logs relating to its medical record system and it was determined that the now former employee had improperly accessed the medical records of patients. While no evidence was found to indicate any patient information had been misused, or that the former employee was in any way involved in the insurance scheme, the decision was taken to issue notification letters.

Notification letters were sent to all patients whose medical records had been accessed by the former employee during the period that the individual had access to patients’ medical records, irrespective of whether the patients had been involved in a motor vehicle accident. That period spanned from August 23, 2016 to October 31, 2017.

LIJFH said it has been fully cooperating with the law enforcement investigation and explained that notification letters to all patients had been delayed at the request of law enforcement so as not to interfere with the investigation. Notification letters started to be sent on August 5, 2021.

No credit card numbers or financial information were accessed by the employee, only the following types of information: name, date of birth, address, phone number, insurance information, internal medical record number, treatment location, treatment provider, date(s) of service, reason for visit, brief summary of the patient’s medical history, medications, test results, diagnoses, and/or other treatment-related information. The Social Security numbers of a limited number of patients were also potentially viewed.

LIJFH is offering complimentary credit monitoring and identity protection services to all individuals potentially affected by the incident for 12 months or longer if required by state law.

LIJFH has confirmed that the individual is no longer employed by LIJFH. Steps have been taken to prevent and identify any further breach of this nature, including enhancing security tools that monitor access to medical record applications. Audits of medical record access are also being conducted by its compliance department. LIJFH said all employees already receive ongoing training on HIPAA and patient privacy. Following the discovery of the breach, the front-line staff was re-trained.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.