Data Breaches at Huntington Hospital and Southwestern Vermont Medical Center

A former staff of Huntington Hospital located in New York is confronted with a criminal HIPAA violation case related to the unauthorized accessing of health records of 13,000 patients.

The night shift hospital staff impermissibly accessed the health files of patients from October 2018 to February 2019. The types of data, which the staff viewed included demographic data such as names, phone numbers, addresses, birth dates, medical record numbers, internal account numbers, and clinical data such as diagnoses, prescription drugs, laboratory test results, treatment details, and names of healthcare provider. Huntington Hospital stated it did not find any proof that indicates the access of Security numbers, credit card numbers, insurance details, and other data related to payments.

The staff was suspended right away when Huntington Hospital learned about the unauthorized access. At the same time, the hospital did a complete investigation. On February 25, 2019, the investigation was completed and the staff was terminated from work for the HIPAA violation. The hospital also notified law enforcement.

The hospital stated all workers had undergone HIPAA training and are taught their duties in relation to the protected health information (PHI) of patients. This training program is still continuing. There are security tools set up that keep track of unauthorized access and access logs have regular audits. Because of the breach, the hospital had to enhance its access controls and more, targeted instruction was given to the employees to remind the great importance of protecting patient privacy.

Huntington Hospital not too long ago gave a press release concerning the unauthorized access and has currently mailed breach notification letters to all impacted people. Although the HIPAA Breach Notification Rule demands sending notification letters to impacted individuals in 60 days after discovering a data breach, it can be deferred when law enforcement requests it. In this instance, law enforcement asked the hospital to put off sending notifications in order not to obstruct the investigation. The hospital got the go signal from law enforcement to send breach notification letters this November.

Although it is believed that the attacker did not get access to Social Security numbers and financial details, the hospital has given impacted persons free identity theft protection services for a year, or longer when demanded to do so by federal laws.

The investigation of law enforcement came to the conclusion that the unauthorized access called for filing criminal charges with regard to the HIPAA violation.

Southwestern Vermont Medical Center Patients Alerted About Insider Data Breach

Southwestern Vermont Medical Center has released breach notification letters to a number of patients whose health records were acquired by an ex-resident doctor.

On or about September 16, 2021, the Bennington hospital found out the ex-doctor had duplicated parts of particular patients’ health records and mailed them to a personal email account last June 2021 before finishing their residency. The patient data theft was reported to authorities and the hospital is helping with the breach investigation. At this point of the investigation, it is uncertain why the health records were duplicated.

The types of data acquired by the doctor differed from one patient to another and might have contained one or two of these types of PHI: First and last name, birth date, medical record number, name of treating provider, summaries of care, and some data that was documented to provide patients with healthcare services.

Southwestern Vermont Medical Center stated it has no report of any patient data misuse; nonetheless, impacted patients are being urged to keep track of the account statements they get from their medical care providers and insurance companies.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at