It has been discovered that the protected health information of thousands of patients of University Hospital Newark (NY) was stolen by an unauthorized healthcare worker at the hospital over the course of 12 months.
After the PHI was stolen it was then shared with more unauthorized individuals. While data breaches like this are a frequent occurrence, this one was slightly unusual in that it took place some time ago at some point between January 1, 2016, and December 31, 2017.
During this period of time, the former employee in question was given authorization to view certain patient data for some work tasks. However, once they had finished this project they continued to access this data outside of the remit that they had been given permission for and unrelated to their work functions. The range of data accessed by the person in question included names, addresses, dates of birth, Social Security data, health insurance details, medical records, and clinical information connected with the treatment administered to patients at University Hospital.
A spokesperson for University Hospital revealed that the issue has been made known to the relevant law enforcement agencies and a criminal investigation has been initiated. The hospital began issuing notification letters to affected individuals on October 11 2021 to anyone who may have been impacted in the breach. Additionally those impacted have been given the chance to avail of free identity theft and credit monitoring services for one year.
In order to mitigate any further danger to the PHI and stop breaches like this happening in future a review of internal policies and processes and additional privacy training has been provided.
The official breach notification sent to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) on October 8, 2021 revealed that the breach has impacted 9,329 patients.
Sadly, breaches where healthcare workers access and sell PHI to cybercriminals take place on a regular basis. identity thieves. However, on this occasion the nature of the data stolen indicates that may not be the case on this occasion. To date University Hospital has not shared what the access took place or how they became aware of it. The only details that have been made available are that illegal access was related to the PHI of patients who attended the emergency department and were treated for injuries that they experienced due to a motor vehicle accident between 2016 and 2017.
In addition to this, on November 5 2021, University Hospital revealed ro OCR that another breach of HIPAA connected with an insider breach that impacted 10,067 patients. This breach impacted a similar set of data types as the earlier breach. Coincidentally the PHI was also that of people that were involved in road traffic accidents. This breach took place at times because it was the same person involved in both breaches. However, they did reveal that a criminal investigation remains current and the individual involved no longer works at University Hospital. On November 5 2021 the group started to share notification letters to those impacted by the breach.