NYC Health & Hospitals Corp. posted a notice this week (reproduced below) that suggests that a rogue employee may have been selling PHI to law firms or clinics that specialize in motor vehicle accident patients.
Of note, this notice does not specify any one hospital where the employee worked. Did the employee have access to all patients’ data across all hospitals in the network?
How did the hospital learn of this — who told them and how did that person know?
And will they even be able to sort out how many patients may be impacted? Do/did they have good access logs in 2016? And can they determine for every access whether the employee had a legitimate reason to access the patient’s file?
This looks to be a costly and time-consuming mess.
h/t, Becker’s Hospital Review
Notice of Possible Unauthorized Disclosure of Protected Health Information
Dec 02, 2019
On October 3, 2019, NYC Health + Hospitals was notified that of some of its patients’ protected health information (PHI) had been inappropriately disclosed by an employee of NYC Health + Hospitals, between 2016 and November 2019. The disclosed PHI included patients’ names, telephone numbers, and the fact that they had been involved in motor vehicle accidents. An investigation of the incident is ongoing, and appropriate discipline of the employee is being pursued. If you were involved in a motor vehicle accident between 2016 and November 2019, and, as a result, were treated at a NYC Health + Hospitals hospital, your PHI may have been included in this unauthorized disclosure. For more information, please call (877) 514-0832.