Yakima Valley Memorial Hospital agreed to the voluntary settlement after an investigation into the actions of 23 emergency department security guards who allegedly used their login credentials to access the patient medical records of 419 patients.
The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information, according to a release by the U.S .Department of Health & Human Services’ Office for Civil Rights (OCR). A breach notification report alerted OCR to the snooping.
As part of the agreement, OCR will monitor Yakima Valley Memorial Hospital for 2 years and the hospital must conduct a thorough risk analysis as well as develop a risk management plan to address and mitigate identified security risks and vulnerabilities. The settlement is not considered an admission of guilt by the hospital.
Is such snooping common?
The incident highlights the frequent practice of employees snooping through medical records and the steep consequences that can result for providers, said Paul Redding, vice president of partner engagement and cybersecurity at Compliancy Group, a company that offers guided HIPAA compliance software for healthcare providers and vendors.
“I think the problem is absolutely growing,” he said. “What’s crazy about this case is it’s actually a really small HIPAA violation. Less than 500 people were affected, and the hospital still must pay a quarter-of-a-million-dollar settlement. If you take the average HIPAA violation, which is in the thousands and thousands of [patients], this amount would be magnified many times over.”
In general, employees snoop through records out of curiosity or to find out information about people they know – or want to learn about, said J. David Sims, a cybersecurity expert and CEO of Security First IT, a company that provides cybersecurity solutions and IT support to health care businesses.
Mr. Sims says he has heard of cases where health professionals snooped through records to find information about the new love interests of ex-partners or to learn about people on dating websites whom they’re interested in dating.
“Most of the time, it’s people being nosy,” he said. “In a lot of cases, it’s curiosity about famous people. You see it a lot in areas where you have football players who come in with injuries or you have an actor or actress who come in for something.”
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the health care industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” OCR director Melanie Fontes Rainer said in a June statement. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”
Yakima Valley Memorial Hospital did not return a message seeking comment.
According to OCR’s latest report to Congress, complaints about HIPAA violations increased by 39% between 2017 and 2021. Breaches affecting fewer than 500 individuals rose by 5% during the same time period, and breaches impacting 500 or more individuals increased by 58%.