Sentara Health Identifies Job Sharing Scam and Potential Unauthorized EMR Access
Sentara Health, a nonprofit healthcare provider serving Virginia, Northeastern North Carolina, and Florida, has notified 14,898 patients about a potential insider breach involving their electronic medical records.
Sentara Health’s Lab Services department hired an individual in December 2024 to process lab requisitions – orders from providers that explain the lab tests that need to be run for patients. The employee was a remote worker, and following a January 2025 virtual meeting with his manager, the manager raised concerns with the privacy team that the individual with whom the manager had been interacting might not have been the person who was initially hired for the position.
The employee’s access to Sentara’s systems was immediately terminated pending an investigation, and Sentara later determined that the employee’s activity was consistent with a job-sharing scam. These scams involve an individual obtaining employment at multiple locations and farming out the work to other individuals in exchange for a percentage of the pay. On or around January 28, 2025, Sentara completed its review and confirmed that the record access involving the employee’s login credentials was consistent with the assigned work duties; however, it was not possible to confirm that the hired individual completed those duties. Other individuals who were not authorized to share the job duties may have accessed patient data on behalf of the hired employee.
The potential unauthorized access involved patients who received lab tests between January 14 and January 23, 2025, and the types of information viewed may have included names, addresses, dates of birth, patient identification numbers, medical record numbers, telephone numbers, Social Security numbers, test order dates, test completion dates, and the name of the provider who ordered the tests. 1,620 individuals were affected. Notification letters were mailed to the affected individuals on March 28, 2025.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Sentara Health hired a further two individuals in January 2025 who worked remotely, and after virtual meetings with those employees on April 3, 2025, the individuals’ manager determined that the individuals who took part in those meetings appear to be different from the identity documents provided during the hiring process. Those individuals were performing the required job duties, but they were not the individuals who were hired and were conducting the work from outside the United States. The two individuals accessed the protected health information of 13,278 individuals who received tests between January 2025 and April 2025. The information accessed includes names, addresses, dates of birth, patient identification numbers, medical record numbers, telephone numbers, Social Security Numbers, the lab tests that were ordered, the name of the provider who ordered the tests, and the date the labs were ordered. Notification letters were mailed to the affected individuals on June 9, 2025.
As a precaution, complimentary credit monitoring and identity theft protection services have been offered. Sentara Health is in the process of evaluating additional platforms for staff education, and technical security controls are being reviewed.
