Huntington Hospital – Notice of Unauthorized Access to Personal Information
November 24, 2021 at 14:00 PM EST
Huntington Hospital has sent notices to approximately 13,000 patients about an incident involving the unauthorized access of personal information. The hospital learned that a night shift employee improperly accessed electronic medical patient records in violation of its policies. After a thorough investigation, on February 25, 2019, the hospital determined that the employee improperly accessed patient information without role-based authorization between October 2018 and February 2019. The employee was immediately suspended, and he was subsequently terminated. In addition, Huntington Hospital notified law enforcement of the incident. The hospital cooperated with the law enforcement investigation, which included following instructions to delay notifying any patients who were potentially impacted by this incident through November 2021. The law enforcement investigation resulted in the former employee being charged with a criminal HIPAA violation.
There is no evidence that the former employee accessed Social Security numbers, insurance information, credit card numbers or other payment-related information. The patient information accessed by the former employee may have included demographic-type information such as name, date of birth, telephone number, address, internal account number and medical record number; and clinical information such as diagnoses, medications, laboratory results, course of treatment, the names of health care providers, and/or other treatment-related information.
Huntington Hospital has a robust compliance program that includes ongoing training of its employees, implementation of security tools to monitor access to medical record applications, and audits of medical record access. The hospital has taken additional steps to prevent this type of incident from occurring in the future, including bolstering access controls and targeted re-training of staff on the importance of protecting patient confidentiality.
As an added precaution, Huntington Hospital is offering all impacted patients complimentary identity theft protection services through Experian IdentityWorksSM for one (1) year, unless a longer time period was required by applicable state law.
This notice is being provided in accordance with the media notice requirements of the Health Insurance Portability and Accountability Act, as amended by Health Information Technology for Economic and Clinical Health Act. Huntington Hospital has notified impacted patients and will notify relevant regulatory bodies, including the U.S. Department of Health and Human Services.