"Small" breach, big harm.
I recently noted a privacy breach at Northern Inyo Hospital in California. It was one of those “small breaches” (i.e., less than 500 affected) that don’t get reported on HHS’s public-facing breach tool, but it really created distress for its victim. In discussing the breach, I noted my surprise at a statement the patient made that she might have to move to another community as she no longer had trust in the hospital and was worried about how information about her accessed by the employee might be used against her.
Subsequent details provided by the newspaper in a fuller version of the story provided some additional details on the case, which seemed to involve a messy divorce and custody fight, where the employee (identified by the paper as Cherie LaBraque) was in a relationship with the patient’s husband at the time she allegedly first began breaching the victim’s privacy. LaBraque and the patient’s now ex-husband were married in June, months before a more recent privacy breach allegedly occurred that led to her firing.
The patient, Tami Matteson, kindly reached out to me to discuss the case and her decision to move away. She no longer trusts NIH even though they fired LaBraque within hours of discovering the most recent instance of improper access to Matteson’s files. And because her ex-husband is on staff at the area’s only other hospital, she doesn’t feel confident that her privacy will be protected there, either – even though she notes the other hospital went out of their way to inform her that her records would be kept in a separate area and logs would be kept of access. As Ms. Matteson told me, she doesn’t want to feel like she is a “problem patient.” She just wants a hospital where she can be treated like every other patient and have confidence that her privacy will be protected.
According to Matteson, during the time in 2010 that LaBraque was improperly accessing her records, LaBraque was not only in a relationship with Matteson’s husband, but she was also writing letters to the court about the custody dispute between Ms. Matteson and her then-husband. I was unable to locate contact information for Ms. LaBraque, so these statements should be understood as Ms. Matteson’s allegations that have yet to be confirmed or refuted. I should also point out that there is nothing to suggest that Matteson’s ex-husband was involved in any improper access to her medical records or solicited his then-girlfriend/current wife to access them for him.
Although Ms. Matteson was offered a settlement by NIH, money doesn’t repair trust. The hospital’s statement that they were not responsible and there’s only so much they can do about a rogue employee does not inspire confidence either, even though many healthcare security professionals might find their statement realistic. In this case, there had reportedly been over a dozen improper accesses by LaBraque back in 2010, but those were never discovered by the hospital until a more recent incident that was discovered by an employee who was aware of the divorce and custody dispute.
LaBraque has also been accused of improperly accessing the files of several other people, at least one of whom is a friend of Matteson’s. Those breaches , too, were not discovered until the hospital investigated the most recent breach involving Ms. Matteson’s records.
Criminal prosecutions under HIPAA are unusual, but if there is any evidence that the employee used or incorporated information from Matteson’s medical files in her letters to the court, then I think a criminal prosecution under HIPAA might be in order (cf, the Andrea Smith case for an example of a prosecution with similar circumstances). According to the media report and Ms. Matteson, the District Attorney in Matteson’s area seems to be viewing the conduct as multiple instances of a misdemeanor. HHS/OCR might be in a position to send an even stronger message, and it will be interesting to see what the D.A.’s office and HHS do with this situation. The paper doesn’t mention whether this breach has also been reported to the California Department of Public Health, but they, too, investigate privacy breaches and are more inclined to issue monetary penalties to hospitals than HHS seems to be. They could also demand other access controls or assurances to prevent this type of problem in the future.
Of course, that would all be of small consolation to Ms. Matteson, who informs me that yes, she intends to move away when she can resolve the custody issue with her ex-husband so that she can find a hospital where she feels her privacy will be better protected.
So the next time someone tries to tell you that a employee snooping or a “small” hospital privacy breach is “no big deal,” think of Ms. Matteson. I will.