Medical Record Snooping Case Leads to $240K HIPAA Settlement

June 15, 2023 - The HHS Office for Civil Rights (OCR) reached a HIPAA settlement with Yakima Valley Memorial Hospital to resolve a medical record snooping case involving 23 security guards. Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a corrective action plan.

OCR launched an investigation into Yakima Valley Memorial Hospital in May 2018 following the receipt of a breach notification that stated that 23 security guards working in the hospital’s emergency department used their credentials to access patient medical records.

Specifically, the guards accessed the names, dates of birth, addresses, treatment notes, medical record numbers, and insurance information of 419 individuals without a job-related purpose.

In addition to the $240,000 settlement, OCR will monitor Yakima Valley Memorial Hospital for the next two years to ensure compliance with the HIPAA Security Rule. The hospital has agreed to implement a variety of corrective actions, including enhancing its HIPAA and Security Training Program and reviewing relationships with vendors and third-party providers to ensure that business associate agreements are in place.

 Additionally, the hospital must conduct a risk analysis to identify any vulnerabilities to electronic protected health information (PHI), develop a risk management plan, and maintain and revise its written HIPAA policies and procedures.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. [Healthcare] organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer.

“HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identi[t]y theft and fraud.”

As previously reported, insider threats can cause just as much damage to PHI as external threats. Insider threats may be careless or negligent workers, but they could also be inside agents or disgruntled employees. Regardless of intent, incidents stemming from insider threats may result in data breaches.

Verizon’s recently released 2023 Data Breach Investigations Report (DBIR) stressed the importance of mitigating insider threat risks.

The report highlighted the continuing relevance of miscellaneous errors in healthcare that result in data breaches, whether in the form of “that spreadsheet with sensitive employee health information accidentally being sent to a much wider distribution than planned” or “a mailing error with paper documents that are placed in such a way that too much information is visible in the envelope’s clear window.”

Even though external threats such as hackers and ransomware gangs accounted for 66 percent of Verizon’s logged healthcare incidents, insider threats cannot be ignored.