Cedars-Sinai Hospital in Los Angeles was selected by reality TV star Kim Kardashian and Rapper Kayne West as the hospital to have their daughter delivered. Their baby was born on June 15th, but three days later some staff members started looking at the medical records of one of the patient from the hospital. The hospital revealed that the records were accessed over a period of seven days.
Six staff accessed the medical records which they were not permitted to view, with one individual accessing 14 patient records and the other five accessing the record of a single patient. The hospital did not reveal the names of the patients affected by this security breach and according to the L.A Times, neither Kardashian nor West was available for comment on the privacy violation. The hospital did reveal that all patients affected by the breach had been contacted and notified of the unauthorized access and the hospital did not think that any crimes had been committed.
Cedars-Sinai adheres to strict policies to protect confidential medical records and the persons who accessed PHI of patients did not have the proper security credentials to do so. Access was gained using the login details of other members of the workforce.
Four of the staff had some medical privileges at the hospital but were employed by community physicians, one was working directly for the hospital as a medical assistant and another was a student research assistant. According to a statement released by the hospital, access to the data was possible thanks t the use of the logins of three community physicians; Dr. Sam Bakshian, Dr. Abraham Ishaaya, and Dr. Shamim Shakibai.
All three doctors were givenpermission to remotely access the data and all provided their login details to their assistants; which was in breach of hospital policy. The other login used to access the PHI was issued to the doctor’s employee directly for purposes sending out bills.
Cedars-Sinai Chief Privacy Officer reassured the public and patients about security at the hospital normally being of a very high standard and unauthorized access to data is “quite simply unacceptable”. This is the second time members of staff have been involved in incidents involving improper access to PHI at the hospital. In 2009 a member of staff stole records of patients and used the data to make fraudulent insurance claims.
The five members of staff who viewed the records inappropriately have now been sacked and the student research assistant’s time at the hospital has also come to an end.
As a further warning to the hospital will also restrict access to records by the individuals concerned, even if they gain employment at another health provider. Law enforcement has also been made aware of this as a precaution, although there is no evidence to suggest that any of the data viewed will be used for criminal purposes.
When the employees accessed the data they breached HIPAA regulations, and as such the Office for Civil Rights may conduct an investigation. The OCR has the authority to issue fines for HIPAA non-compliance issues and data violations, with the healthcare institution often held responsible in cases where employees have inappropriately viewed patient records.
In 2008, a worker at the UCLA Health System accessed the records of Britney Spears, Farah Fawcett and Maria Shriver and was convicted of selling medical information, for profit, to the National Enquirer. UCLA had to settle with federal regulators for $865,500. A fine of up to $50,000 can be applied for each breach.