Henry Mayo Newhall Hospital in Santa Clarita, CA has dismissed a number of its employees because of snooping on the Saugus High School shooter’s health records.
Under the Health Insurance Portability and Accountability Act (HIPAA) Regulations, hospital employees only have the authorization to access patients medical records if they have a treatment relationship with the patients or if there’s an otherwise legit business connection for accessing the patient records.
The HIPAA Security Rule expects HIPAA-covered entities to employ systems for recording activity in data systems that contain patient’s electronic protected health information (ePHI) and consistently evaluate logs of system activity to detect unauthorized access. There must be a sanctions policy, which should be employed when any one of the employees violates the privacy of patients.
On November 14, 2009, one Saugus High School student shot five students and then shot himself. Two students died and the shooter also died the next day after he was brought to Henry Mayo Newhall Hospital.
A review of system activity logs showed a number of hospital employees had viewed shooter’s health records. The hospital looked into the probable HIPAA violations and learned that in a number of cases, personnel had accessed the patient records without any legit business reason.
The director of marketing, public relations, and community engagement of Henry Mayo Newhall Hospital, Patrick Moody, issued a statement in the Santa Clarita Gazette that all hospital employees undergo comprehensive yearly training on state and federal privacy rules. The HIPAA training consists of detailed information on the potential outcomes of violating any of these rules. All alleged breaches of its HIPAA policies are carefully inspected with applicable consequences, such dismissed.
Email Account Breach at Ozark Orthopaedics
Ozark Orthopaedics in Fayetteville, AR began informing 15,240 patients regarding a recent data security breach that involve their protected health information (PHI).
Ozark Orthopaedics detected unusual activity in the email accounts of employees on October 8, 2019. The provider took immediate steps to safeguard the email system. The incident was investigated to find out if any patient data was compromised. It was confirmed on November 18, 2019 by Ozark Orthopaedics that an unauthorized person accessed four employee email accounts. On December 20, 2019, Ozark found out that the following PHI was contained in the email accounts: patient names, diagnoses, treatment details, prescription or medicine details, medical insurance data, Medicare/Medicaid ID numbers, financial account data and Social Security numbers.
There was no evidence found that suggest the access or theft of patient information. There was also no report received that indicate the misuse of any patient data. Patients received notification on February 28, 2020. Steps on improving email security have been undertaken by Ozark Orthopaedics to stop other breaches later on.