University Hospital Newark (NY) reported that a former hospital employee acquired the protected health information (PHI) of thousands of patients by accessing the records without authorized consent for a one-year period. That information was later shared with other people who were also not allowed to access the data.
Insider breaches like this are pretty prevalent, though what makes this incident stick out is the duration of the access. The University Hospital Newark stated in its substitute breach notice that the unsanctioned access happened between January 1, 2016, and December 31, 2017.
The former employee was allowed access to patient information to accomplish work responsibilities but had gone over the approved use and had accessed patient files not essential to job requirements. The types of data seen and obtained by the employee included names, dates of birth, addresses, Social Security numbers, medical record numbers, health insurance details, and clinical data associated with care patients obtained at University Hospital. University Hospital mentioned the incident was reported to proper authorities and there is an ongoing criminal investigation into the unauthorized access and disclosure.
University Hospital said it mailed breach notification letters to affected persons starting on October 11, 2021, and has given those people complimentary one-year identity theft and credit monitoring services. University Hospital mentioned steps were done to minimize the risk of more similar data breaches, such as an assessment of internal policies and processes and further training for the employees about patient privacy. Universal Hospital reported the breach to the Department of Health and Human Services’ Office for Civil Rights on October 8, 2021 as affecting 9,329 individuals.
Workers frequently access and share PHI with identity thieves, but the kind of information gotten suggests that may not be the so in this incident. University Hospital did not disclose the reason behind the access or the manner the breach was uncovered, only that the ex-worker accessed the PHI of patients who went to the emergency section and got treatment for injuries sustained due to a motor vehicle accident from 2016 to 2017.
On November 5, 2021, University Hospital submitted another insider breach report to the HHS’ Office for Civil Rights that impacted 10,067 people. The breach involved identical data types as the earlier reported breach and was likewise connected to patients involved in motor vehicle accidents. The unauthorized access took place from January 1, 2018, to December 31, 2019, and involved the PHI of patients affected in vehicle accidents between 2018 and 2019. University Hospital did not state if this was the same person however stated there is a criminal investigation is in progress and the employee concerned is not employed at University Hospital anymore. Notification letters were delivered to affected persons from November 5, 2021.
In August this year, Long Island Jewish Forest Hills Hospital in New York informed about 10,000 patients who had their PHI impermissibly viewed and disclosed from August 23 – October 31, 2017. The breach likewise impacted patients who had gone to the emergency unit following a motor vehicle accident. That breach became clear after a subpoena was received as part of a “No Fault” motor vehicle accident insurance plan.
In January 2020, Beaumont Health announced impermissible access and disclosure case also concerning the PHI of patients who were part of a motor vehicle accident from February 1, 2017, to October 22, 2019. The former employee was believed to have exposed the patients’ PHI to an affiliated personal injury lawyer.