Ann & Robert H. Lurie Children’s Hospital of Chicago, which is a pediatric specialty hospital, found out that an ex-employee accessed certain patients’ medical records without having an authorized work reason. The employee’s unauthorized action transpired during the time period from September 10, 2018 to September 22, 2019.
The hospital discovered the violation on November 15, 2019 and instantly ended all access the employee had to all patient data while the investigation of the incident was ongoing. The employee consequently received disciplinary action for violating HIPAA and hospital policies and was laid off from work.
The types of information potentially viewed by the employee were names, addresses, birth dates, appointment dates, diagnoses, medical treatments, and some limited medical data. No Social Security numbers, financial data, or medical insurance data was accessed by the employee.
The breach notice posted on the website of Ann & Robert H. Lurie Children’s Hospital did not mention why the ex-employee accessed some patient data. However, the hospital stated that it is very unlikely for any patient data to have been stolen, further exposed, or misused.
The hospital mailed breach notification letters to the affected patients on December 26, 2019. As a preventative measure against improper use of their personal and medical data, the hospital advised the affected patients to keep track of the statements provided by their healthcare provider. The hospital’s spokesperson said that Lurie Children’s seriously regrets the occurrence of this incident and affirmed that they are taking of steps to stop any more incidents of this type from happening again later on, such as providing additional HIPAA training to employees regarding the policies of the hospital and unauthorized patient information access.
The Department of Health and Human Services’ Office for Civil Rights has not yet posted the incident on its breach webpage, therefore the number of affected patients is unknown at the moment.