Ex-NY Hospital Staffer Responsible for Data Breach of Patients’ PHI

August 12, 2021 - Long Island Jewish Forest Hills Hospital (LIJFH) notified patients of a data breach exposing their protected health information (PHI). The PHI had been exposed during an unauthorized access event by a former employee.  

On August 6, LIJFH announced in a press release that patients were “potentially impacted by a former employee’s unauthorized access of electronic medical records.” 

The Queens, NY-based hospital is addressing the data security incident and offering free credit monitoring services to any patients impacted by the data breach. 

The data breach investigation arose on January 24, 2020, when a “subpoena was issued seeking documents in connection with an investigation into a ‘no fault’ motor vehicle accident insurance scheme,” the press release states.  

“After receiving this subpoena, LIJFH reviewed the matter and determined that a former employee who was referenced in the subpoena improperly accessed certain electronic medical records,” it states. “To date, LIJFH has no evidence that the information accessed by the former employee was used improperly or had anything to do with the insurance scheme that was being investigated.” 

Out of an abundance of caution, the hospital “decided to notify every patient whose medical records were accessed by the former LIJFH employee through its medical record system during the period of time for which the former employee had access to patient records (August 23, 2016 through October 31, 2017.)” 

All of those patients are being notified, regardless “of whether the patient was involved in a motor vehicle accident,” it states. “LIJFH cooperated fully with the investigation, which included following law enforcement’s instructions to delay notifying any patients who were potentially impacted by the scheme through August 5, 2021.” 

Credit card numbers and payment information were not part of the data breach, according to the release. 

The data incident may “have included information from one or more of the following categories: (1)demographic-type information such as the patient’s name, date of birth, address, phone number, insurance information, internal medical record number and/or, in some cases, a Social Security number; and (2) clinical information such as the name of the treatment location, the name of the treatment provider, date(s) of service, reason for the visit, brief summary of the patient’s medical history, a list of the patient’s medications, the patient’s test results, the patient’s diagnoses, and/or other treatment-related information,” the release notes.  

LIJFH has taken steps to bolster cybersecurity, including adding “additional security tools to monitor the access to medical record applications.” 

“Also, employees are receiving ongoing training on the importance of respecting patient privacy, and targeted re-training of front-line staff was given,” it notes. “Finally, the Compliance Department conducts audits of medical record access to minimize the risk of such incidents occurring in the future.”   

LIJFH said it published the press release in accordance with requirements “of the Health Insurance Portability and Accountability Act, as amended by Health Information Technology for Economic and Clinical Health Act. LIJFH has notified impacted patients and will notify relevant regulatory bodies, including the U.S. Department of Health and Human Services.”