UnityPoint Health’s Allen Hospital Discovers 7-Year Privacy Breach

An employee of UnityPoint Health’s Allen Hospital in Waterloo, Iowa, was recently discovered to have abused her access rights to patient health information over a period of seven years. During that time, the employee is understood to have improperly accessed the protected health information of 1,620 patients.

The inappropriate accessing of PHI was discovered by Allen Hospital on March 14, 2016. The discovery triggered a full review, which revealed the employee had first started inappropriately accessing patient records in September 2009.

The data potentially accessed by the employee include patients’ names, dates of birth, home addresses, health insurance information, medical record numbers, and treatment information. Some patients’ Social Security numbers may also have been viewed.

Many employees are discovered to have accessed patient records without authorization, although what makes this case stand out is how long it took Allen Hospital to discover the HIPAA breach. Jim Waterbury, Allen Hospital’s vice president for institutional advancement, said the reason it took so long for the privacy breach to be discovered was because the employee was required to access patient health records in order to complete her work duties.

The matter has now been reported to the Department of Health and Human Services’ Office for Civil Rights and disciplinary action has been taken against the employee, although it is not clear if that involved terminating her employment.

All affected patients have been sent notification letters by mail to alert them to the breach of their privacy. No evidence has been uncovered to suggest that any patient data have been stolen or used inappropriately, although all affected patients will be provided with credit monitoring services for a year as a precaution against fraud and identity theft. Patients have been provided with further information on how they can protect their identities.

Waterbury issued a statement saying “We apologize to our affected patients, and we accept our responsibility to keep this event from happening again.” All staff will be re-educated on UnityPoint Health’s policies regarding the accessing of patient health records and employees’ responsibilities under HIPAA.

Preventing employees from inappropriately accessing patient health records can be difficult if access to health information is required in order for work duties to be performed. However, it is essential for healthcare providers to implement policies to ensure PHI access logs are regularly checked for inappropriate access. Fast detection of privacy breaches will limit the harm caused.

This incident has prompted Allen Hospital to introduce an internal audit program to ensure that any incidences of improper accessing of patient health records are identified rapidly.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.