Articles on breaches involving protected health information (PHI) often raise the specter of what could happen if a patient’s records were misused and the patient’s healthcare suffered as a result. Here’s a case where it reportedly happened. This case also raises some questions about access controls and the value of audits and follow-up on audits.
Let’s start with a news report by Anthony Reyes on WKBW that Kelsey Mulvey, a former registered nurse at Roswell Park Comprehensive Cancer Center in New York pleaded guilty to tampering with a consumer product.
In June 2019, the U.S. Attorney’s Office announced 28-year-old Kelsey Mulvey, of Grand Island, was charged with the tampering of a consumer product, acquiring controlled substances by fraud and HIPAA violations.
Mulvey appeared virtually in federal court Wednesday and pleaded guilty to one count of tampering with a consumer product. The other charges were dropped as part of a plea agreement with prosecutors.
According to WKBW’s report, Mulvey admitted to searching patient files to find out which patients were taking drugs she wanted, and then replaced those drugs in the medication dispensing machine with vials of water. So she took the medications for her own use and patients got water instead of their prescribed medication.
Not only did the patients not get their prescribed medication, but six patients reportedly became ill due to water borne bacteria “and it was determined Mulvey’s actions were to blame.”
You can read a lot more of the details on WKBW. The former nurse’s misconduct was suspected in 2018 and the entity followed up promptly.
In a 2019 statement, the center said, in part:
Since that time, we have taken significant organizational steps to enhance ongoing prevention, detection and response to health care worker drug diversion.
These include heightened surveillance with high-tech software, on-campus security features, review and revision of current policy and procedures, and increased staff training and education on what they can do to keep their patients and themselves safe as it relates to drug diversion. We have also enhanced dedicated resources for the diversion prevention program.
As it turns out, in 2015, NYS had completed an audit of the center’s security for ePHI. The full audit report is still available online here. Was there anything in the audit’s findings that would have prevented this incident had recommendations been followed, or did the center essentially get a clean bill of health on access controls? While it was commendable that the center appears to have detected the nurse’s misbehavior via its own means, could the misbehavior have been prevented? It might be informative if some HIPAA experts and security professionals took a hard look at the audit of 2015 to see whether anything could have or should have been done differently by the auditors or by the center.
Is this just one of those incidents that we have to accept can occur despite adequate or “reasonable” security? Given the high safety risk to patients if their medication is altered or compromised, what lessons should other entities be learning from this case?