University Hospital Newark (NY) has found out that a former worker had accessed the protected health information(PHI) of thousands of patients without authorization over the duration of a year. That information was later disclosed to other people who were likewise not approved to view the details.
Insider breaches like this are pretty common, though what makes this situation stick out is when the access took place. University Hospital Newark stated in its substitute breach notice, the unauthorized access happened between January 1, 2016, and December 31, 2017.
The former staff was provided access to patient files to finish work tasks however had gone beyond the permitted use of that access and had viewed patient information not related to job functions. The types of data accessed and taken by the individual consist of names, dates of birth, addresses, Social Security numbers, health insurance data, medical record numbers, and clinical details associated with care patients acquired at University Hospital. University Hospital mentioned the incident was reported to law enforcement and there is an ongoing criminal investigation into the unauthorized access and disclosure.
University Hospital reported it began mailing notification letters to affected persons on October 11, 2021, and has made available to those people complimentary 12-months identity theft and credit monitoring services. University Hospital stated steps were done to minimize the risk of further data breaches like this, including an assessment of internal policies and protocols and more training for the employees on patient data privacy. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated that 9,329 patients were impacted.
Workers usually access and expose PHI to identity thieves, though the nature of the information obtained suggests that may not be the case in this case. University Hospital has not revealed the explanation for the access or how the breach was learned, only that the former worker got access to the PHI of patients who went to the emergency department and obtained treatment for injuries suffered in a motor vehicle incident from 2016 to 2017.
In August this year, Long Island Jewish Forest Hills Hospital in New York informed more than 10,000 patients who had their PHI impermissibly accessed and exposed between August 23, 2016, and October 31, 2017. The breach in the same way impacted patients who went to the emergency department following a motor vehicle accident. That breach became known upon receipt of a subpoena as part of a “No-Fault” motor vehicle accident insurance scheme.
In January 2020, Beaumont Health made an announcement that an impermissible access and disclosure incident also impacted the PHI of patients who were involved in a motor vehicle accident from February 1, 2017, to October 22, 2019. The ex-staff was thought to have exposed the PHI to an affiliated personal injury lawyer.
