Healthcare provider Kaiser Permanente based in Oakland, CA discovered that a former staff gained access to the radiology information of many patients without permission for a period of 8 years.
Kaiser Permanente knew about the privacy breach in March and placed the employee on administrative leave while there was an ongoing internal investigation. Kaiser Permanente found no valid explanation for the behavior of the employee in accessing the information and determined that the data access was beyond the scope of the employee’s work. The first case of unauthorized access happened in 2012 and the employee kept on accessing radiology data until 2020 when her actions were noticed.
The employee worked as an imaging technician in the radiology department and was dismissed already over violating HIPAA rules. Though unauthorized protected health information (PHI) access was affirmed, Kaiser Permanente did not find any evidence that suggests that patient data was duplicated or used to commit fraud or any criminal transactions.
Kaiser Foundation Health Plan of the Mid-Atlantic States reported the breach to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020. The breach report indicates that in 8 years, the imaging technician impermissibly accessed 2,756 patients’ files.
The healthcare provider notified all affected people about the privacy breach via mail.
Ridgeview Institute – Monroe Employee Dismissed Because of Unauthorized PHI Access and Impermissible Disclosure
Ridgeview Institute – Monroe based in Georgia provides mental health and addiction treatment services. An ex-employee of Ridgeview Institute viewed the files of some patients without consent and sent copies of patient information to a personal email account.
On January 14, 2020, Ridgeview Institute learned about the privacy breach prompting an internal audit to find out the nature and scope of the breach. The investigators took a while to find out exactly what records was copied and which patients were affected, therefore the late notification to affected people.
The exposed data in the stolen records included patients’ full names, birth dates, patient ID numbers, Social Security numbers, health insurance firm names, diagnoses, treatment details, prescribed medicines, medical procedures, lab test, and other test results.
The employee confessed to accessing and copying patient records without consent and stated the records were later disclosed to her attorney and one more individual.
There is no reason provided regarding why the information was stolen and impermissibly disclosed. Ridgeview Institute stated that the unauthorized individual promised that the person with whom the information was disclosed will not reveal it with other persons. The employee who is not working at Ridgeview any more has confirmed that all copies of the documents were destroyed.
Ridgeview is in the process of notifying all affected patients and is offering them complimentary identity theft protection services.