Ex-Employee of Cedar Rapids Hospital Who Accessed Ex-Boyfriend’s PHI Gets 5-Year Probation

An ex-employee of Cedar Rapids Hospital is sentenced to 5 years’ probation for inappropriately accessing and sharing the protected health information (PHI) of her former boyfriend.

41-year-old Jennifer Lynne Bacor of Las Vegas, NV, was working at a Cedar Rapids hospital as a patient care technician. Her job allowed her to access systems that contain the individually identifiable data of patients. Although she was permitted to access that data, she was just allowed to access the data of patients so as to carry out her work responsibilities.

Bacor’s ex-boyfriend went to the hospital several times in 2017 to get treatment. Using her login credentials, Bacor accessed his health records created from October 2013 to September 2017 on a number of times from April to October 2017, even when there was no valid work reason to do so.

Accessing the PHI of a person when there’s no valid work reason to do so violates the Health Insurance Portability and Accountability Act (HIPAA), and criminal charges may be filed for such violation.

Bacor got a picture of a medical image that revealed injuries suffered by her former boyfriend and mailed the picture to a third party. Subsequently, the third party shared the picture with other people through Facebook Messenger, putting taunting words and emojis along with the picture. Bacor was likewise determined to have mentioned in social media messages to another individual that she was trying to get principal custody of two kids that she and her former boyfriend had.

After finding out about the privacy breach, the former boyfriend went to the hospital on October 4, 2017 and submitted a complaint alleging Bacor got access to his health records with no permission and got the picture from the hospital. The hospital made an investigation of the privacy violation and affirmed that Bacor got access to his health records 10 times. Bacor was at first suspended, subsequently, she was dismissed for her HIPAA violation.

In August 2020, Bacor confessed to the police officers that she just broke the federal privacy laws so as to defend her kids. Bacor sought a plea agreement and admitted to committing to one count of wrongfully acquiring individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams stated that Bacor weaponized her former boyfriend’s private health information by sharing it with others and passed her sentence of 5 years’ probation and penalized her $1,000. Bacor was likewise forbidden from being employed in any work that allows her to get access to the private health records of other people.