University Hospital Newark (NY) has discovered the protected health information of thousands of patients has been accessed by a former employee without authorization over the course of a year. That information was subsequently disclosed to other individuals who were also not authorized to view the information.
Insider breaches such as this are fairly common, although what makes this case stand out is when the access occurred. In its substitute breach notice, University Hospital Newark said the unauthorized access occurred between January 1, 2016, and December 31, 2017.
The former employee had been provided with access to patient data to complete work duties but had exceeded the authorized use of that access and had viewed patient data not pertinent to job functions. The types of information viewed and obtained by the individual included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to care patients received at University Hospital. University Hospital said the matter has been reported to law enforcement and a criminal investigation into the unauthorized access and disclosure is ongoing.
University Hospital said it started mailing notification letters to affected individuals on October 11, 2021, and has offered those individuals complimentary identity theft and credit monitoring services for 12 months. University Hospital said steps have been taken to reduce the risk of further data breaches of this nature, including a review of internal policies and procedures and further training for the workforce on patient privacy. The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 9,329 patients.
Employees often access and disclose PHI to identity thieves, although the nature of the data obtained suggests that may not be the case in this instance. University Hospital has not disclosed the reason for the access or how the breach was discovered, only that the former employee accessed the PHI of patients who visited the emergency department and received treatment for injuries sustained in a motor vehicle accident between 2016 and 2017.
In August this year, Long Island Jewish Forest Hills Hospital in New York notified more than 10,000 patients whose PHI was impermissibly accessed and disclosed between August 23, 2016, and October 31, 2017. The breach similarly impacted patients who had visited the emergency department after a motor vehicle accident. That breach came to light when a subpoena was received as part of a “No Fault” motor vehicle accident insurance scheme.
In January 2020, Beaumont Health announced an impermissible access and disclosure incident also involving the PHI of patients who were involved in a motor vehicle accident between February 1, 2017, and October 22, 2019. The former employee was believed to have disclosed the PHI to an affiliated personal injury lawyer.
The post University Hospital Newark Notifies 9,000 Individuals About Historic Insider Data Breach appeared first on HIPAA Journal.