Criminal HIPAA Violation for Former Huntington Hospital Employee
After accessing 12,925 patient records with permission, a former worker at Huntington Hospital in New York has been charged with a criminal HIPAA violation.
The Huntington Hospital staff member in question was working on the night shift when he illegally accessed patients’ medical records over a four-month period from October 2018 to February 2019. The range of data accessed viewed by the staff member incorporated demographic information like names, birth dates, telephone contact details, address information, internal account data, medical record information and clinical records such as diagnoses, medications, laboratory test results, treatment details , and healthcare supplier names. Huntington Hospital said it had not found any evidence to indicate that Social Security numbers, insurance information, credit card numbers, and other payment-related information had been infiltrated.
When the unauthorized access was first spotted, the staff member was quickly suspended from their position and an official investigation was initiated. The investigation came to an end on February 25, 2019, the employee was fired due to the HIPAA breach, and the relevant law enforcement agencies were made aware of the matter.
The hospital said all staff members are given HIPAA training and are made aware of their legal obligations in relation to the protected health information of patients, and that its training program remains current. The hospital has security measures implemented that check for unauthorized access and regular audits of access logs are completed. The breach has resulted in the hospital to enhance its access controls and additional, targeted training has been conducted for staff members to concentrate on the importance of ensuring patient confidentiality.
Huntington Hospital recently made a public announcement in relation to the breach and has issued breach notification letters to all those impacted. While the HIPAA Breach Notification Rule states that notification letters must be sent to affected patients within 60 days of the discovery of a data breach, law enforcement agencies can request that this is delayed further so the investigation is not impacted. It is not thought that Social Security numbers and financial information were accessed in the breach, the hospital has made free identity theft protection services for 12 months, or longer if required to do so by state laws, to those impacted in the breach.
The law enforcement investigation found the unauthorized access should result in criminal charges for the HIPAA breach. According to official court documents, the employee, Luis Soriano, worked at three unidentified New York hospitals, initially as a patient caretaker, then as a licensed emergency department technician, and in the third hospital as a telemetry technician, and is believed to have illegally accessed patient data from all three hospitals.