Crain’s reports:
A volunteer at NYC Health + Hospitals/Coney Island gained unauthorized access to the protected health information of nearly 3,500 patients, the hospital told the U.S. Department of Health and Human Services last week.
The volunteer in Coney Island’s phlebotomy department entered patient names in a logbook, cleaned up data storage areas and transported specimens within the hospital—without being vetted beforehand by Coney Island’s human resources department, hospital chief executive Anthony Rajkumar wrote in a sample letter to affected patients.
“NYC Health + Hospitals apologizes for the concern this incident may have caused and assures you that we are doing everything we can to make sure an incident of this nature does not reoccur,” Rajkumar wrote.
Read more on Crain’s New York.
But what was the breach? Was there any wrongdoing by the volunteer at all, or is this just a case where the hospital erred in giving this person access to PHI but the person did nothing wrong with it? Was this a “what might have happened buy didn’t” notification?
DataBreaches.net called the hospital to inquire, and asked whether the volunteer had done anything untoward or if this was just a case of the volunteer not having been properly vetted by HR. A hospital spokesperson replied, “this individual did not go through the appropriate human resources process for volunteers, which is a violation of the hospital’s policies and practices.”
Presumably the volunteer had not signed the typical employee agreements which dictate privacy policies, NDAs, etc. Therefore PII and PHI were technically leaked to an unauthorized third party.
The volunteer has since probably signed paperwork stating that they did not, and will not, disseminate any privileged information.