Hospital: Employee Viewed Patient Records Without ‘Need’

PHOENIXVILLE PA – Phoenixville Hospital has discovered that one of its employees accessed electronic medical records of its patients “without an apparent business reason” over a recent seven-month period, hospital owner Tower Health said Friday (July 8, 2022). The hospital has begun “notifying individuals whose personal health information was involved,” Tower Health added.

Information that may have been retrieved and viewed without authorization, according to the announcement, contained names, addresses, dates of birth, dates of encounter, diagnoses, vital signs, medications, test results, and provider notes. In a few instances, it said, a partial Social Security number consisting only of four last digits, and medical insurance company names and identification numbers also were viewed.

It did not specify how many patients were affected, or how many times medical records were accessed.

Tower Health reported “the employee was immediately suspended and was subsequently terminated.” It also said the hospital was already taking several steps to ensure against a reoccurence.

The terminated employee’s actions may be subject to regulations of the federal Health Insurance Portability and Accountability Act of 1996. It was created to set national standards that “protect sensitive patient health information from being disclosed without the patient’s consent or knowledge,” the Centers for Disease Control and Prevention website stated.

Because the hospital “routinely monitors” employee use of electronic records, unauthorized access on a single hospital patient’s information was discovered May 1 (Sunday), Tower Health said.

An investigation conducted May 12 (Thursday) determined the same employee also “accessed and viewed” additional Phoenixville Hospital patient records “between October 2021 and May 1, 2022, without a legitimate business need related to his or her job duties.”

Notices to affected patients or their personal representatives were mailed Friday (July 8), Tower Health noted. “Those concerned about the incident who did not receive a letter, but would like to know if their information was affected, may call toll-free at 855-516-3851, Monday through Friday from 9 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays. This number will be in operation between July 8 and Sept. 6 (Tuesday),” Tower Health added.

“Complimentary credit monitoring is being offered to the few individuals” whose partial Social Security number and medical insurance information was accessed, Tower Health stated.

For others concerned about information privacy, Tower Health recommended “individuals keep a close watch on their bank statements, credit card statements, personal mail, and other bills and financial statements for any suspicious or unauthorized activity. Individuals should report any unauthorized activity to their bank or credit card companies.”

“Phoenixville Hospital takes its responsibility to safeguard personal and protected health information very seriously,” Tower Health assured the public in its statement. As a result of what it labeled as the “data privacy” incidents, Tower Health said:

  • Phoenixville Hospital has provided additional training to members of its workforce regarding the appropriate access of patient information;
  • The hospital continues to provide ongoing mandatory HIPAA and privacy training to its workforce members regarding appropriate access, use, and disclosure of protected health information; and
  • The hospital is currently investigating potential improvements to its privacy monitoring tools and processes.

Editor’s Note: Data breaches at other hospitals in Virginia and Pennsylvania, neither of them related to Phoenixville Hospital or Tower Health, were reported July 12 (2022; Tuesday) by HealthITSecurity.com on its website and may be of interest to readers. Find it here.

Photo by The Post