Incidents where staff at hospitals access someone’s medical records without authorization or being directly involved in the patient’s care. In some cases, health system employees have accessed information such as emails, birth dates, clinical information or Social Security numbers, with the likely intention of selling the information or committing fraud.
Snooping is one of several types of data breaches that have been on the rise. Between 2009 and 2020, 3,705 health care data breaches involving 500 or more records have been reported to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights, according to an article in HIPAA Journal. Those breaches resulted in the loss, theft, exposure or impermissible disclosure of over 268 million health care records. The average number of breaches per day in 2020 was 1.76. HHS maintains an updated list of all breaches reported in the previous 24 months, including cases of unauthorized access/disclosure.
Hospitals and health systems have been announcing larger incidents of snooping to affected patients. For example, in May 2021, the University of Florida Health Shands announced it had notified 1,562 people affected by a privacy breach in which a former employee accessed medical records “outside the scope of their duties.”
More information is available in a July 2021 AHCJ blog post.