Cases of staff members accessing on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out duration of time that an employee was accessing medical records without authorization before being apprehended.
The hospital was advised about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In reaction to the complaint, the hospital carried out a full review which showed the former patient’s medical records had been accessed by a staff member without any legitimate reason for doing so.
Further investigation revealed it was more than a solitary offense. The employee had been accessing the records of patients without authorization for a time period of 14 years. The first instance occurred 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.
Tewksbury Hospital, which is operated by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those people are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those people, a substitute data breach notice has been placed on the Mass.gov official website.
The employee was a clerk at the hospital and had to have access to medical records in order to complete work functions. Those access rights were abused and as a result, the employee was fired and no longer has access to the EMR system.
The types of date that were possibly accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided to the hospital and in some cases, Social Security numbers.
Tewksbury Hospitals says measures have now been taken to lessen the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected quickly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be given additional training on the privacy and security of protected health data.
Tewksbury Hospital says the review did not uncover any proof to suggest protected health information was misused in any way.
The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data violations that have impacted more than 500 individuals. If the investigation shows HIPAA Rules have been breached by the hospital, the penalty is likely to be severe for a breach of this lengthy time period.