6,200 Patient Records Illegally Accessed by Hospital Employee

Covenant HealthCare has advised more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its staff members.

The improper access was identified during a November 2016 review of EMR access logs. The audit revealed an unusual pattern of medical record access by a member of staff. Covenant HealthCare immediately ordered a full investigation into ePHI access by the employee to determine which medical records had been accessed and whether there was any legitimate reason for those records to have been accessed.

The review showed that the Covenant HealthCare employee first began improperly accessing its electronic medical record system on February 1, 2016. The improper access went on for nine months until November 21, 2016 and involved 6,197 patients. A range of data were possibly viewed including patient’s names, dates of birth, home addresses, health insurance information, diagnostic and treatment information, medical record numbers, Social Security numbers and driver’s license details.

Covenant HealthCare spokesperson Kristin Knoll revealed in a statement that an investigation into the HIPAA breach was immediately initiated and resulted in sacking of the employee. Knoll also confirmed that the breach has been filed to all appropriate agencies.

Affected patients have now been warned of the breach by mail, although the delay in issuing notifications was because Covenant required two months to complete its review.

No reports of misuse of patients’ information have been sumitted to date by Covenant HealthCare. All patients who have had their Social Security numbers accessed will be offered free credit monitoring and protection services to minimize risk.

To avoid future breaches like this, Covenant HealthCare has increased ongoing training on patient privacy. Audits of ePHI access logs will also be carried out more often to ensure that any future inappropriate access is identified quickly.