EHR snooping leads to criminal HIPAA violation charges in New York

A Long Island-area hospital announced this past week that one of its night shift employees had improperly accessed electronic health record information in violation of its policies.  

Huntington Hospital sent notices to about 13,000 patients regarding the incident, explaining that the employee had been terminated and eventually charged with a criminal HIPAA violation.  

“Huntington Hospital has a robust compliance program that includes ongoing training of its employees, implementation of security tools to monitor access to medical record applications, and audits of medical record access,” said the hospital in a news release about the incident.  


Although the hospital determined that the employee had accessed patient information in an unauthorized capacity between October 2018 and February 2019, it did not announce that the incident had taken place until November 2021.

According to the hospital, the notification delay came at the instruction of law enforcement, which was investigating the incident. That investigation resulted in the HIPAA violation charges.  

The hospital said there is no evidence that its then-employee accessed Social Security numbers, insurance information, credit card numbers or other payment-related information.   

The data may have, however, included: 

  • Demographic-type information such as name, date of birth, telephone number, address, internal account number and medical record number
  • Clinical information such as diagnoses, medications, laboratory results, course of treatment, the names of healthcare providers and/or other treatment-related information  

The hospital said it would offer a year of complimentary identity theft protection services as an added precaution.  


Although the majority of security incidents that make headlines these days involve ransomware, employee snooping is still a perennial issue in the healthcare sector.  

In February of this year, Montefiore Medical System, also based in New York, notified patients of a security breach involving illegal access to HIPAA-protected health information.  

But there is help: This past year, in an effort to curb such incidents, security firm CynergisTek updated its Patient Privacy Monitoring Services to help providers more proactively identify insiders who might be seeking unauthorized information, specifically about COVID-19.  


“The hospital has taken additional steps to prevent this type of incident from occurring in the future, including bolstering access controls and targeted re-training of staff on the importance of protecting patient confidentiality,” said Huntington in its press release.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article