Huntington Hospital in New York has disclosed an insider-wrongdoing incident that occurred between October 2018 and February 2019. Although they determined in February, 2019 that the now-former employee was engaging in unauthorized access to patient records, and suspended the employee (and eventually terminated the employment), they were asked to delay notification to those impacted until this month. The former employee has been charged with a criminal violation of HIPAA and 13,000 patients have been notified.
The employee’s motivation was not made clear in the notification, but the hospital reports:
There is no evidence that the former employee accessed Social Security numbers, insurance information, credit card numbers or other payment-related information. The patient information accessed by the former employee may have included demographic-type information such as name, date of birth, telephone number, address, internal account number and medical record number; and clinical information such as diagnoses, medications, laboratory results, course of treatment, the names of health care providers, and/or other treatment-related information.
You can read their notice here.