Healthcare provider Kaiser Permanente based in Oakland, CA found out that an ex-employee got access to the radiology files of a lot of patients with no consent for 8 years.
Kaiser Permanente learned about the privacy breach in the latter of March and put the staff on administrative leave during the ongoing investigation. Kaiser Permanente did not find any legit justification for the conduct of the staff in viewing the files and concluded that the records access was outside of the extent of the staff’s tasks. The first time of illegal access took place in 2012 and the staff continued accessing radiology files until 2020 when what she was doing were uncovered.
The staff was employed as an imaging specialist in the radiology section and was terminated already because of violating HIPAA regulations. Although unauthorized accessing of protected health information (PHI) was confirmed, Kaiser Permanente didn’t uncover any proof that indicates that patient details were stolen or employed to practice fraudulence or any criminal actions.
Kaiser Foundation Health Plan of the Mid-Atlantic States submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020. The breach report reveals that within 8 years, the imaging specialist impermissibly viewed 2,756 patients’ records.
The healthcare provider sent notifications to all affected persons regarding the privacy breach through the mail.
Ridgeview Institute – Monroe Staff Fired Due to Unauthorized DATA Access and Impermissible Disclosure
Ridgeview Institute – Monroe centered in Georgia offers psychological health and addiction treatment assistance. An old employee of Ridgeview Institute looked at the information of a number of patients without permission and transmitted duplicates of patient data to a private email account.
On January 14, 2020, Ridgeview Institute found out about the privacy breach compelling an internal inspection to know the nature and extent of the breach. The investigators took a long time to ascertain exactly which data was duplicated and which patients were impacted, thus the late notice to impacted persons.
The compromised information in the stolen files included patients’ full names, dates of birth, patient ID numbers, Social Security numbers, medical insurance company names, diagnoses, treatment data, prescription medications, medical operations, laboratory tests and other test findings.
The staff admitted to accessing and duplicating patient data with no permission and claimed the information was then shared with her lawyer and one more person.
There is no explanation given concerning why the data was duplicated and impermissibly disclosed. Ridgeview Institute mentioned that the unauthorized person gave assurances that the individual with whom the data was shared won’t expose it with other people. The staff who isn’t employed at Ridgeview any more has affirmed that all duplicates of the records were disposed of properly.
Ridgeview is in the process of informing all impacted patients and is providing them free identity theft protection services.