Share this article on:
An investigation has been launched following a complaint about a data breach at the University of Cincinnati Medical Center. The HIPAA security breach occurred when a hospital employee in the financial services division accessed the data of a patient and shared that information with a third party, who subsequently used the information to conduct a hate campaign on Facebook.
The hospital took action rapidly when the incident came to light and terminated the employment of the individual in question, with legal action soon to commence. This incident was reportable under HIPAA guidelines to the Office for Civil Rights and while the hospital claims to have issued a notification to the OCR, the OCR was unable to confirm whether the report had been received.
A failure to report the incident would be a direct HIPAA violation, although the University of Cincinnati Medical Center claims to have documentation to prove that the notification of the data breach was made via the HHS website well within the notification deadline.
Fines are issued by the OCR for data breaches as well as HIPAA compliance failures. In this instance, since data was accessed and used deliberately the Medical Center could potentially be issued with a heavy fine as a result of the unauthorized use of the data. Deliberate data breaches – those conducted with the full knowledge of the individual concerned – can result in fines of between $10,000 and $1.5 million being issued by the OCR.
The hospital denies any wrongdoing and since the individual responsible for posting details of the patient on Facebook was not employed by the medical center a fine may be avoided. However, questions will be raised about why an individual in the finance department was allowed access to ePHI when this should not be required for the individual to perform his role at the hospital.
The federal investigation will address these issues and will determine whether the hospital – under the circumstances – should have restricted access to PHI and if any other HIPAA compliance issues exist; however at this stage the hospital has yet to receive any notification that an investigation has been commenced.