Patient Data Breach at VCU Health and Cheyenne Regional Medical Center

Virginia Commonwealth University Health System (VCU Health) detected an extended privacy violation that possibly began on January 4, 2006. Based on the substitute breach notification posted on the VCU Health web page, transplant donor data were a part of the health records of a number of transplant patients. Transplant recipient data were also contained in the medical files of transplant donors.

Whenever recipients, donors of transplants, or their representatives signed into the patient website to see their medical files, they could have viewed the data of the donor/recipient. It is also likely that the data was given to persons who used requested a copy of their health data. In every case, the compromised data wasn’t available to the public, just to particular transplant recipients and donors.

VCU Health detected the privacy breach on February 7, 2022. The following investigation confirmed that more data might also have been accessible, including names, laboratory data, date(s) of service, medical record numbers, Social Security numbers, and/or birth dates.

Impacted persons received notification by mail and free credit monitoring services in case they had their Social Security numbers exposed. Steps were also undertaken to enhance privacy protections and avoid the same incidents later on. VCH Health stated a total of 4,441 transplant donors and recipients were impacted.

Snooping on Patient Records by Cheyenne Regional Medical Center Employee

Cheyenne Regional Medical Center (CRMC) found out that a former staff had been viewing the health records of patients with no permission for about two years. The former staff was allowed access to patient records to carry out her work responsibilities however had been viewing the files of patients for reasons not related to her task.

A previous co-staff member reported the privacy violation after the snooping staff member transferred to another department inside the medical center. The internal investigation of the incident confirmed that the files of around 1,600 patients were accessed with no authorization from Aug. 31, 2020 to May 26, 2022.

Gladys Ayokosok, Compliance director of CRMC, mentioned there was no evidence found that suggests the former employee copied or further disclosed any patient data. Affected persons have already received notification concerning the HIPAA violation by the employee. The following types of data were potentially viewed: names, birth dates, Social Security numbers, medical record numbers, dates of service, diagnoses, and treatment data.

Ayokosok stated that the access continued undetected for a very long time because the former staff member had formerly worked with the electronic health record company. To identify any incidents of snooping later on, the IT department has developed an audit record, which will enable the IT team to know whether employees accessed records an abnormal number of times, find out the reasons that employees are accessing patient data, and check to ensure there is a legit reason for viewing patient information.