Lowell Hospital Employee Fired for Accessing PHI Following Theft

by | Dec 10, 2017

The discovery has been made that the medical records of 769 patients of Lowell General Hospital in Massachusetts have been accessed by an employee without any valid work reason.

In accessing the medical details, the employee violated hospital policies and breached the privacy of patients.After finding the breach, and completion of the subsequent investigation, the employee was let go from their position. Lowell General Hospital was happy that only one person was involved, and that this was not a group-wide problem at the hospital.

Patients affected by the security incident have been alerted and a breach notice has been placed on the hospital website. Patients have been told that the types of information seen by the former member of staff included names, dates of birth, medical diagnoses, and information relating to treatments provided to people.

No financial data, health insurance details, or Social Security numbers were seen by the employee, and the investigation found no evidence to suggest that any of the data that was seen has been misused.

Lowell General Hospital supplies training to all staff, and clearly advises employees that the accessing of medical records without a legitimate reason is strictly forbidden. While checks are carried out to ensure that employees are abiding by hospital policies, the incident has lead to Lowell General Hospital conducting a review of its privacy and security policies relating to its medical records. Improvements will be completed to ensure that any future instances of snooping are identified quickly. The hospital will go on providing ongoing training to employees on patient privacy.

What it is not clear how long the employee was able to improperly access medical records before the privacy violations were found. The number of patients affected by the incident suggests the improper access had been going on for several months.

HIPAA required covered bodies and their business associates to constantly monitor PHI access logs for unauthorized access. While “regularly” is open to some interpretation, it is a good best practice to complete ongoing audits of access logs to help find unauthorized activity.

These audits can be completed manually, although tools are available to minimize the administrative burden. Those available tools are either rule-based or behavior-based. The former needs rules to be set which will trigger alerts if they are breached, while behavior based systems learn about normal access and trigger warnings if any anomalies are found. These automated solutions can help to find improper activity much more quickly, allowing rapid measures to be adapted when employees look at medical histories.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy