Long Island Jewish Forest Hills Hospital (LIJFH) has begun informing a number of patients regarding an insider data breach that affected their health records.
LIJFH mentioned in its breach notification letters that it discovered an unauthorized medical record access occurrence approximately January 24, 2020. LIJFH received a subpoena for records associated with an investigation by law enforcement into a “No-Fault” motor vehicle accident insurance strategy that cited a LIJFH staff.
An evaluation was performed involving access logs of its medical record system and it was confirmed that an ex-employee had wrongly accessed patients’ medical records. Although no proof was discovered that suggests the misuse of any patient data, or that the ex-employee was involved in the insurance scheme by any means, LIJFH decided to send out notification letters.
Notification letters were issued to all individuals who had their medical records viewed by the ex-employee during the time period that he/she could access patients’ health records, regardless of whether the patients were engaged in a motor vehicle accident. That time lasted from August 23, 2016 to October 31, 2017.
LIJFH stated it is completely cooperating with the police investigation and mentioned that the issuance of notification letters to all patients was deferred as requested by law enforcement to avoid interference with the investigation. Sending notification letters began on August 5, 2021.
The employee did not access any credit card numbers or financial data. Only these types of data were accessed: name, birth date, address, telephone number, insurance details, internal medical record number, treatment site, date(s) of service, treatment provider, the reason for consultation, short summary of the patient’s medical background, prescription drugs, test data, diagnoses, and/or other treatment-related data. Some patients’ Social Security numbers were likewise potentially accessed.
LIJFH is giving free credit monitoring and identity protection services to all persons possibly impacted by the breach for one year or longer if demanded by state legislation.
LIJFH has affirmed that the person is currently not working at LIJFH. Steps were undertaken to avoid and determine any other breach of this kind, such as improving security tools that keep track of access to medical record programs. Reviews of medical record access are likewise being done by its compliance section. LIJFH stated all workers already get continuing training on HIPAA and patient privacy. After the discovery of the breach, the front-line personnel received re-training.