A covered entity recently discovered that a former employee had “snooped” (inappropriately accessed) over 10,000 patient records almost 4 years after the snooping began. The employee accessed the records in the EHR over a period of about 14 months. That’s over 700 records per month. The snooping went undetected until the former employee was referenced in an unrelated subpoena received by the entity. The former employee accessed the following patient information: names, birthdates, Social Security numbers, medical record numbers, medical histories, medications, and diagnosis and treatment details, among others.
The employee’s inappropriate access of patient records could have been detected sooner by periodic system access reviews. This would have reduced the number of patients impacted by the breach, the financial impact of providing identity theft monitoring to patients, and other breach response expenses, as well as reputational damage from media exposure. The entity reported the breach to the OCR earlier this month.