Queens District Attorney Richard A. Brown announced that two employees of Jamaica Hospital Medical Center in Queens, New York have been charged with illegally accessing medical records and personal identification information of emergency room patients who were then contacted — some while they were still in the emergency room – by attorneys seeking to solicit them as clients and by others seeking to provide outpatient services.
District Attorney Brown identified the defendants as Maritza Amador, 44, of 8825 148th Street, in Jamaica, Queens, and Dache Prawl, 45, of 194-01 Linden Boulevard, in St. Albans, Queens. The defendants were arrested Friday night. They are variously charged with computer trespass, second-degree unlawful possession of personal identification information, and unauthorized use of a computer. If convicted, they each face up to four years in prison.
It is alleged that both Amador and Prawl each illegally accessed more than 250 different computer records of patient files, each containing, among other things, the patient’s Social Security number, date of birth, address, telephone number, and details regarding their injuries and medical treatment received in the emergency room at Jamaica Hospital Medical Center. The press release from District Attorney Brown’s office does not indicate which types of information were allegedly shared with the attorneys and “medical mills,” nor does it name the attorneys who solicited the patients or those who falsely claimed to be from the hospital to provide outpatient services.
According to the charges, defendant Amador, between February 10, 2012 and March 12, 2014, and defendant Prawl, between December 11, 2013 and March 17, 2014, illegally accessed the personal identification information. Both defendants were employed as registrars in the emergency room of Jamaica Hospital Medical Center, but none of the patients were registered by either of them, and therefore they had no legitimate reason to access the information.
A sampling of the accessed files charged in the criminal complaints includes an individual who sought treatment in the emergency room for injuries suffered as a result of a car accident. The hospital’s computer logs showed that less than two hours after the patient was registered, defendant Amador used her computer access login to access the individual’s records of medical treatment. Within two days of the emergency room visit, the patient received a phone call from a person falsely claiming that she was calling from Jamaica Hospital and she wanted to make sure that the patient received followup medical treatment. The patient also received a call from an attorney attempting to solicit the patient as a client relevant to the injuries which caused the emergency room visit.
In another case included in the complaint, defendant Prawl allegedly used her access to get the treatment records of another patient who had sought treatment for injuries suffered as the result of a motor vehicle accident. According to the hospital’s records, while the patient was still in the emergency room, the patient received calls from attorneys attempting to solicit the patient as a client. Additionally, less than one week later, the patient received a phone call from someone falsely representing that they were outside the patient’s home to transport the patient to outpatient therapy.
The hospital detected the breaches and notified law enforcement.
As of today’s date, the incident is not up on HHS’s public-facing breach tool, although it probably should appear at some point if 500 patients had their records improperly accessed and disclosed.
h/t, WSJ
Damn, shame, lock them up and throw away the key.its always something at that hospital anyway. Im not surprised. Smh!!!!
It’s not the hospital ! It’s those kind of employees with no brains bringing the institution down !!!
And who hires those employees? Who does the background checks? Who implements logs and auditing to prevent and catch bad actors? The hospital, so suggesting they’ve got no responsibility just will not pass muster.
Although healthcare facilities cannot control the bad actions of all of their employees, I agree wholeheartedly with Dissent that they are responsible for exercising due diligence in their hiring practices. A small critical access hospital where I previously worked had excellent background check policies that have, on occasion, discovered something that did not prevent someone from becoming employed but did result in a “we’re aware of this issue” discussion with the employee and closer monitoring of the employee. Healthcare facilities are also responsible for educating and monitoring their workforce.