Patient Privacy Violated in Incidents at VCU Health and Cheyenne Regional Medical Center

A lengthy privacy violation has been detected by Virginia Commonwealth University Health System (VCU Health) that potentially started on January 4, 2006. According to the substitute breach notification on the VCU Health website, transplant donor information had been included in the medical records of certain transplant recipients, and transplant recipient information had also been included in the medical records of transplant donors.

When donors, recipients of transplants, or their representatives logged into the patient portal to view their medical records, they would have been able to view information about the donor/recipient. It is also possible that the information was provided to individuals who exercised their right under HIPAA to obtain a copy of their health information. In each case, the exposed information was not accessible to the public, only to specific transplant donors and recipients.

The privacy issue was detected by VCU Health on February 7, 2022, with the subsequent investigation confirming that additional information may also have been viewable, which included names, Social Security numbers, lab results, medical record numbers, date(s) of service, and/or dates of birth.

Affected individuals have been notified by mail and have been offered complimentary credit monitoring services if their Social Security numbers had been exposed. Steps have also been taken to improve privacy protections and prevent similar incidents in the future. VCH Health said, in total, 4,441 transplant donors and recipients had been affected.

Please see the HIPAA Journal Privacy Policy

Cheyenne Regional Medical Center Discovers Employee Snooped on Patient Records for 2 Years

Cheyenne Regional Medical Center (CRMC) has discovered a former employee had been accessing the medical records of patients without authorization for almost two years. The former employee had been provided with access to patient data to complete her work duties but had been accessing the records of patients for reasons unrelated to her role.

The privacy violation came to light when a former co-worker reported the individual for the HIPAA violation after a transfer to a different department within the medical center. The incident was investigated internally and it was confirmed that the records of up to 1,600 patients had been viewed without authorization between Aug. 31, 2020, and May 26, 2022.

CRMC compliance director, Gladys Ayokosok, said no evidence was found to suggest any patient information was copied or further disclosed by the former employee, and affected individuals have now been notified about the employee’s HIPAA violation. The types of information that may have been viewed included names, dates of birth, social security numbers, dates of care, medical record numbers, diagnoses, and treatments.

According to Ayokosok, the access went undetected for so long as the former employee had previously worked with the electronic health record provider. To detect any cases of snooping in the future, the IT department has created an audit trail, which will allow the IT team to tell if employees access records an unusual number of times, see why employees are accessing patient records, and check to make sure there is a legitimate reason for accessing patient data.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.