HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017.

On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this was far from a one-off incident. The improper access dated back to October 8, 2014. During that time, the caregiver was found to have accessed 2,459 patient files with no legitimate work reason for doing so.

When confronted about the improper access the female employee said she had accessed the records out of curiosity with no malicious intent. The health system said it took ‘swift and appropriate action’ and the employee was disciplined, although it is unclear what the disciplinary action involved and whether the employee was terminated as a result of her actions.

The health system does not consider the employee’s actions were criminal in nature, and a signed affidavit was obtained in which the employee stated she had not used or shared any information with others with the purpose of committing fraud, financial crimes or any other crimes against the patients concerned.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights and state regulators. Affected patients are being notified of the privacy breach by mail. All individuals affected by the breach have been offered credit monitoring and identity theft restoration services for 12 months as a precaution.

The information accessed by the employee included names, addresses, dates of birth, driver’s license numbers, health insurance information, diagnoses, medications prescribed, treatment information, and physician’s names.

A statement about the incident was issued by Nicole Hough, vice president of compliance at St. Charles Health System, saying “We want our patients and their families and the community to really understand how sorry we are for this situation and understand we took swift action and we are taking action to ensure this doesn’t happen again.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.