HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Virginia Commonwealth University Health System Discovers 3-Year HIPAA Breach

For the past three years, the electronic medical records of patients of Virginia Commonwealth University Health System have been inappropriately accessed by employees of physician groups.

In total, around 2,700 individuals, many of whom were children, have had their medical records viewed and their privacy violated.

VCU Health System provides access to patients’ medical records to community physician groups and contracted vendors. Community physicians are able to share patients’ medical records with the VCU Health System to ensure continuity of care when referring patients. Contractors that provide medical equipment to patients are similarly given access to medical records.

However, VCU Health System discovered ‘an unusual pattern of accessing medical records’ in January. Further investigation revealed individuals were accessing patients’ medical records without any legitimate business reason for doing so and that records had been accessed for a period of more than three years. The first privacy breach occurred on January 3, 2014 and inappropriate access continued until January 10, 2017, when the privacy breaches were discovered. The records were accessed by a contractor and employees of some community physician groups that were partnered with Virginia Commonwealth University Health System.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of information accessed includes names, addresses, medical record numbers, birth dates, visit dates, health care provider names, health insurance details, medical information and some patients’ Social Security numbers.

According to a statement released by VCU Health System, the investigation did not uncover any evidence to suggest that health insurance information had been used inappropriately and no information appears to have been accessed with malicious intent.

VCU Health System determined which individuals had improperly accessed patients’ medical records and employers terminated those employees. In order to prevent similar breaches from occurring in the future, VCU Health System has implemented new safeguards to prevent inappropriate system access. All individuals impacted by the privacy breaches have been offered complimentary credit monitoring services for 12 months without charge.

The incident highlights how important it is for controls to be put in place to prevent the inappropriate accessing of medical records and for regular audits of PHI access logs to be conducted. It may not always be possible to prevent inappropriate accessing of medical records by employees, partners and business associates, but fast identification of privacy violations will allow healthcare organizations to take action to limit the harm caused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.