Member of Hospital Staff Was Accessing Medical Records Without Authorization for 14 Years

by | Jul 30, 2017

Cases of staff members accessing on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out duration of time that an employee was accessing medical records without authorization before being apprehended.

The hospital was advised about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In reaction to the complaint, the hospital carried out a full review which showed the former patient’s medical records had been accessed by a staff member without any legitimate reason for doing so.

Further investigation revealed it was more than a solitary offense.  The employee had been accessing the records of patients without authorization for a time period of 14 years. The first instance occurred 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.

Tewksbury Hospital, which is operated by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those people are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those people, a substitute data breach notice has been placed on the official website.

The employee was a clerk at the hospital and had to have access to medical records in order to complete work functions. Those access rights were abused and as a result, the employee was fired and no longer has access to the EMR system.

The types of date that were possibly accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided to the hospital and in some cases, Social Security numbers.

Tewksbury Hospitals says measures have now been taken to lessen the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected quickly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be given additional training on the privacy and security of protected health data.

Tewksbury Hospital says the review did not uncover any proof to suggest protected health information was misused in any way.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data violations that have impacted more than 500 individuals. If the investigation shows HIPAA Rules have been breached by the hospital, the penalty is likely to be severe for a breach of this lengthy time period.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy