Former Member of Staff Causes HIPAA Breach at Northwestern Memorial Hospital

An update on the Departments of Health and Human Services’ (HHS) Office for Civil Rights (OCR) breach portal has revealed that a previously-employed contract staff member may have illegally accessed the medical records of a range of patients working at Chicago Northwestern Memorial Hospital.

This Healthcare Insurance Privacy Accountability Act (HIPAA) breach was initially identified on December 2, 2020. Following an investigation of the access logs it was discovered that the temporary staff member  viewed patient records despite not having a valid work reason for doing so. The individual accessed the medical records in question for more than a month. However, the subsequent investigation has show that there is nothing to indicate that insurance information or Social Security numbers were viewed or copied during this HIPAA breach. the range of data that may have been accessed includes patient names, addresses, and treatment history

Additionally representatives from Northwestern Memorial Hospital have said that, to date, there is no proof that any fraudulent activity was carried out using the data that was accessed, but patients should double check any bills they get.

According to the breach notification published the HIPAA breaches took place between October 27, 2020 and December 2, 2020.

Northwestern Memorial Hospital released an official statement in relation to the privacy breach revealing that the records of 682 patients may have been accessed and confirmed that the temporary worker no longer works at the health center. Additionally, no further details have been uncovered as to why the records were accessed at all. All impacted individuals are being alerted about the privacy breach via mail and the incident has been made known to the the appropriate agencies.

The statement read: “Northwestern Memorial has no reason to suspect that there has been any re-disclosure of any patient information associated with the incident.”

This incident is typical of many that involve a member of staff breaching HIPAA rules, on purpose of inadvertently, and further highlights the need for HIPAA training to being conducted for all members of staff on an ongoing basis. Conducting ongoing training for staff to make them aware of their responsibilities in relation to HIPAA minimizes that potential for a breach like this, which could lead to a penalties including financial sanctions and directives to implemented new data management security procedures and processes.

This is just the latest HIPAA breach which was caused by a member of staff completing an action that is prohibited under the HIPAA legislation. Some of the others include: