Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access

What Information is Protected Under HIPAA Law

Share this article on:

Montefiore Medical Center in Bronx, NY has fired an employee over the alleged theft of the protected health information of approximately 4,000 patients. Montefiore became aware of a potential internal data breach in July 2020 and launched an investigation into unauthorized medical record access.

Montefiore had implemented a technology solution that monitors EHRs for inappropriate access, which identified the employee. The investigation confirmed that the employee had accessed medical records without any legitimate work reason between January 2018 and July 2020.

Accessing the medical records of patients when there is no legitimate reason for doing so is a violation of HIPAA and hospital policies. Montefiore said criminal background checks are performed on all employees prior to being given a position at the medical center and Montefiore provides HIPAA training to all employees. The employee in question had received significant privacy and security training but had chosen to violate internal policies and HIPAA Rules.

The investigation into the breach is ongoing and the matter has been reported to NYPD, which has launched a criminal investigation.

“Montefiore deeply regrets this incident and will not tolerate any violation of patient privacy,” said a spokesperson for the medical center. “In support of all HIPAA guidance and laws, we view this activity to be criminal in nature and are fully cooperating with law enforcement as the case moves forward.”

The types of information accessed by the former employee included names, addresses, dates of birth, and Social Security numbers. Affected patients have been offered complimentary identity theft protection services for 12 months and are protected against financial loss by a $1,000,000 identity theft insurance policy.

Montefiore Medical Center is now expanding its monitoring capabilities and employee training programs.

Geisinger Fires Employee for Unauthorized Medical Record Access

Geisinger has fired an employee for improper medical record access.  A member of the workforce alerted the Geisinger Privacy Office about an employee who was suspected of accessing the medical records of patients when there was no legitimate work reason for doing so.

The report was received on June 3, 2020 and an investigation into unauthorized access was immediately launched. The investigation was concluded on September 8, 2020. The employee in question worked at a Geisinger Clinic and was authorized to access patient records, but the investigation revealed the records of around 700 patients had been accessed without any work reason for doing so. The unauthorized access started in June 2019 and continued until June 2020.

The types of information that could be viewed included names, dates of birth, medical record numbers, dates of service, social security numbers, addresses, phone numbers, medical conditions, diagnoses, medications, treatment information and other clinical notes. A review of the employee’s network activity uncovered no evidence to suggest information had been stolen but, out of an abundance of caution, all affected patients have been offered complimentary credit monitoring and identity theft protection services.

“At Geisinger, protecting our patients’ and members’ privacy is of the utmost importance and we are constantly working on safeguards and protocols to identify incidents such as these so we can prevent such occurrences in the future,” said Geisinger Chief Privacy Officer, Jonathan Friesen.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On