New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former employee being charged with a HIPAA violation.
Huntington Hospital discovered on February 25, 2019, that a night shift employee was improperly accessing electronic medical records without role-based authorization. Further investigation revealed that the employee accessed PHI continually from October 2018 to February 2019.
The hospital immediately suspended the employee, and he was later terminated. Following instruction from law enforcement, Huntington Hospital delayed notification of the incident until November 24, 2021.
The former employee may have accessed names, birth dates, addresses, internal account numbers, telephone numbers, medical record numbers, diagnoses, medication information, lab results, and names of healthcare providers.
Investigators found no evidence that Social Security numbers, credit card numbers, or insurance information was compromised.
“Huntington Hospital has a robust compliance program that includes ongoing training of its employees, implementation of security tools to monitor access to medical record applications, and audits of medical record access,” the hospital’s notice explained.
“The hospital has taken additional steps to prevent this type of incident from occurring in the future, including bolstering access controls and targeted re-training of staff on the importance of protecting patient confidentiality.”
Huntington Hospital is offering all impacted patients free identity theft protection services for one year. The former employee was charged with a criminal HIPAA violation.
“This notice is being provided in accordance with the media notice requirements of the Health Insurance Portability and Accountability Act, as amended by Health Information Technology for Economic and Clinical Health Act,” the hospital noted.
“Huntington Hospital has notified impacted patients and will notify relevant regulatory bodies, including the U.S. Department of Health and Human Services.”
HHS’s Office for Civil Rights (OCR) typically enforces the HIPAA Privacy and Security rules by investigating complaints and conducting compliance reviews. If OCR finds determines that a person committed a civil violation, it may impose civil money penalties. However, if OCR discovers a possible criminal violation, it refers the complaint to the Department of Justice (DOJ).
Criminal HIPAA violations can be handled in different ways depending on the level of severity. Covered entities and specific individuals who knowingly obtain or disclose PHI may face a fine of up to $50,000 as well as up to one year of imprisonment for violating the Administrative Simplification Regulations, according to the American Medical Association (AMA).
If the offense was committed under false pretenses, penalties may be increased to a $100,00 fine and up to five years in prison. Individuals or covered entities with the intent to sell, transfer, or use PHI for commercia advantage or personal gain can face up to $250,000 in fines and up to ten years in prison.
On the civil side, OCR recently settled its twentieth HIPAA Right of Access Case with a Nebraska children’s hospital for allegedly violating HIPAA by not providing timely access to PHI.
This post, Former NY Hospital Employee Charged with HIPAA Violation, was first shared by Health IT Security on November 30, 2021.