- Oregon-based St. Charles Health System recently announced a privacy incident where an employee accessed approximately 2,500 patients’ electronic medical information without authorization.
St. Charles explained in an online statement that the caregiver in question reviewed files out of curiosity between October 8, 2014 and January 16, 2017. Accessed information may have included patient names, addresses, dates of birth, health insurance information, driver’s license numbers, and health information (i.e. diagnoses, physicians’ names, medications, treatment information).
An investigation was launched on January 16, 2017. The caregiver said in an affidavit that she did not use or share any of the patient data for fraud, financial crimes, or other crimes against the individuals whose records she viewed.
“St. Charles takes the privacy and security of our patients’ personal health information very seriously. We regard the protection of all patient information as part of our commitment to providing excellent care,” St. Charles Compliance Vice President Nicole Hough said in a statement. “The health system is doing everything possible to prevent a similar privacy breach from occurring in the future, including implementing additional medical record audits.”
Subsequently, Deschutes County District Attorney John Hummel launched a criminal investigation into the incident last week.
Hummel said in a press release that he will work with local law enforcement “to ensure that all relevant facts are detected and then conduct a legal analysis to determine if any criminal laws were violated.”
“I was dismayed to learn via media reports that apparently a St. Charles employee impermissibly accessed records of thousands of patients,” Hummel explained. “An alleged breach of this magnitude should have been reported to local police so that a proper criminal investigation could be conducted – as far as I’m aware this did not happen.”
Once the investigation is concluded, Hummel said he will announce his findings and, if necessary, file any criminal charges.
St. Charles Spokesperson Lisa Goodman told The Bulletin that the health system had followed federal and state notification process for a privacy violation. She explained that the affected patients were notified, along with the Secretary of the Department of Health and Human Services and the state attorney general.
“We have no indication that the caregiver involved is intending to use our patients’ information to commit a crime,” Goodman stated. “Nevertheless, we’ve offered affected patients the option of credit monitoring and identity restoration services because we think it is the right thing to do.”
The caregiver who reportedly viewed the patient information was not identified, nor was her specific job or what disciplinary action took place. Officials told the news source that the woman gave patient care as a clinical care provider, and was disciplined “swiftly and appropriately.”
While St. Charles maintained that no crime had occurred, Hummel told local news station NewsChannel21 that it was not up to the hospital to determine that or not.
"That job is left to police officers, district attorneys, grand juries, judges and juries in the courtroom," Hummel explained.
Class action lawsuits, or even criminal cases, can sometimes stem from reported healthcare data breaches. However, it can be difficult for plaintiffs to prove their case.
For example, a Maryland court ruled in 2016 that plaintiffs in a class action lawsuit filed after the CareFirst data breach failed to demonstrate sufficient standing.
Two data breaches reportedly occurred, with the first occurring in June 2014, while the second took place just before May 2015. On April 21, 2015, CareFirst was conducting a risk assessment when it was discovered that “a sophisticated cyberattack occurred.” The attack likely led to “limited unauthorized access to a database on June 19, 2014.”
Plaintiffs claimed that CareFirst “knew or should have known earlier of both breaches, as the information stolen is allegedly ‘highly coveted by and a frequent target of hackers.’”
The Maryland court maintained that there was a lack of subject matter jurisdiction, and that it was not proven that the plaintiffs suffered any injury from the reported data breach.