DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Former Roswell Park nurse pleads guilty to tampering with a consumer product

Posted on March 12, 2021 by Dissent

Articles on breaches involving protected health information (PHI) often raise the specter of what could happen if a patient’s records were misused and the patient’s healthcare suffered as a result.  Here’s a case where it reportedly happened.  This case also raises some questions about access controls and the value of audits and follow-up on audits.

Let’s start with a news report by Anthony Reyes on WKBW that Kelsey Mulvey, a former registered nurse at Roswell Park Comprehensive Cancer Center in New York pleaded guilty to tampering with a consumer product.

In June 2019, the U.S. Attorney’s Office announced 28-year-old Kelsey Mulvey, of Grand Island, was charged with the tampering of a consumer product, acquiring controlled substances by fraud and HIPAA violations.

Mulvey appeared virtually in federal court Wednesday and pleaded guilty to one count of tampering with a consumer product. The other charges were dropped as part of a plea agreement with prosecutors.

According to WKBW’s report, Mulvey admitted to searching patient files to find out which patients were taking drugs she wanted, and then replaced those drugs in the medication dispensing machine with vials of water. So she took the medications for her own use  and patients got water instead of their prescribed medication.

Not only did the patients not get their prescribed medication, but six  patients reportedly became ill due to water borne bacteria “and it was determined Mulvey’s actions were to blame.”

You can read a lot more of the details on WKBW. The former nurse’s misconduct was suspected in 2018 and the entity followed up promptly.

In a 2019 statement, the center said, in part:

Since that time, we have taken significant organizational steps to enhance ongoing prevention, detection and response to health care worker drug diversion.

These include heightened surveillance with high-tech software, on-campus security features, review and revision of current policy and procedures, and increased staff training and education on what they can do to keep their patients and themselves safe as it relates to drug diversion. We have also enhanced dedicated resources for the diversion prevention program.

As it turns out, in 2015, NYS had completed an audit of the center’s security for ePHI. The full audit report is still available online here.  Was there anything in the audit’s findings that would have prevented this incident had recommendations been followed, or did the center essentially get a clean bill of health on access controls?  While it was commendable that the center appears to have detected the nurse’s misbehavior via its own means, could the misbehavior have been prevented?  It might be informative if some HIPAA experts and security professionals took a hard look at the audit of 2015 to see whether anything could have or should have been done differently by the auditors or by the center.

Is this just one of those incidents that we have to accept can occur despite adequate or “reasonable” security? Given the high safety risk to patients if their medication is altered or compromised, what lessons should other entities be learning from this case?

Related posts:

  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
Category: Breach IncidentsCommentaries and AnalysesHIPAAInsiderOf Note

Post navigation

← Criminals arrested after trusting encrypted chat app cracked by police
Hackers attack City of Covington computer systems →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.