Share this article on:
University Hospital Newark (NY) has discovered the protected health information of thousands of patients has been acquired by a former employee, who accessed the information without authorization over the course of a year. That information was subsequently disclosed to other individuals who were also not authorized to view the information.
Insider breaches such as this are fairly common, although what makes this case stand out is when the access occurred. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 1, 2016, and December 31, 2017.
The former employee had been provided with access to patient data to complete work duties but had exceeded the authorized use of that access and had viewed patient data not pertinent to job functions. The types of information viewed and obtained by the individual included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to care patients received at University Hospital. University Hospital said the matter has been reported to law enforcement and a criminal investigation into the unauthorized access and disclosure is ongoing.
University Hospital said it started mailing notification letters to affected individuals on October 11, 2021, and has offered those individuals complimentary identity theft and credit monitoring services for 12 months. University Hospital said steps have been taken to reduce the risk of further data breaches of this nature, including a review of internal policies and procedures and further training for the workforce on patient privacy. The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 8, 2021 as affecting 9,329 patients.
Employees often access and disclose PHI to identity thieves, although the nature of the data obtained suggests that may not be the case in this instance. University Hospital has not disclosed the reason for the access or how the breach was discovered, only that the former employee accessed the PHI of patients who visited the emergency department and received treatment for injuries sustained in a motor vehicle accident between 2016 and 2017.
On November 5, 2021, University Hospital reported another insider breach to the HHS’ Office for Civil Rights that affected 10,067 individuals. The breach involved the same data types as the previously reported breach and was also linked to individuals involved in road traffic accidents. The unauthorized access occurred between January 1, 2018, and December 31, 2019 and involved the PHI of individuals involved in motor vehicle accidents between 2018 and 2019. University Hospital did not say if this was the same individual but confirmed a criminal investigation is ongoing and the individual concerned is no longer employed at University Hospital. Notification letters were sent to affected individuals starting November 5, 2021.
In August this year, Long Island Jewish Forest Hills Hospital in New York notified more than 10,000 patients whose PHI was impermissibly accessed and disclosed between August 23, 2016, and October 31, 2017. The breach similarly impacted patients who had visited the emergency department after a motor vehicle accident. That breach came to light when a subpoena was received as part of a “No Fault” motor vehicle accident insurance scheme.
In January 2020, Beaumont Health announced an impermissible access and disclosure incident also involving the PHI of patients who were involved in a motor vehicle accident between February 1, 2017, and October 22, 2019. The former employee was believed to have disclosed the PHI to an affiliated personal injury lawyer.