NYC Health + Hospitals reports breach at Coney Island Hospital
A volunteer at Coney Island Hospital, part of NYC Health + Hospitals in New York, inadvertently caused a breach because she handled patient’s protected health information before she had been fully vetted and trained by the organization’s human resources department.
Because the volunteer was not authorized under hospital procedures to access and handle protected health information, she was not qualified to handle protected health information, and that constitutes a breach under HIPAA rules. As a result, the incident was reported to the HHS Office for Civil Rights.
The incident was discovered on March 10; the organization learned that the volunteer had worked for three months in the facility starting in December 2016. In that time, she had handled the information of 3,494 individuals, NYC H + H says.
“A supervisor within the phlebotomy department improperly arranged, under her supervision, for the volunteer to complete certain tasks within the department,” CEO Anthony Rajkumar explained in a letter describing the incident to patients.
The volunteer’s tasks included recording patient names in a log book, indicating that the volunteer had access to such protected health information as patient names, medical record numbers and dates of birth. The supervisor initially was suspended and later resigned.
The hospital is not offering credit or identity monitoring services, according to a spokesperson, because the breach did not involve identifiers that typically put a person at risk. “The nature of the breach and absence of ill intent makes this even less likely,” according to Rajkumar’s letter.
The hospital has set up a call center operated by Kroll, a New York-based company that helps organizations investigate and manage risk incidents, to answer any questions that patients may have. It’s also providing information on how patients can request access to and review their medical records to determine if any information has been compromised, and to file a request to correct any information that may not be appropriate.
Rajkumar has reminded all employees to ensure volunteers are properly processed through the organization’s human resources department.
The hospital also submitted a statement on the breach.
“NYC Health + Hospitals’ first priority is to provide our patients with safe, high quality, affordable care, and we value the importance of protecting the confidentiality of our patients’ medical records. This was an isolated incident and an unacceptable violation of our policies and practices. That’s why we’ve taken swift measures against the employee who violated these rules and the other individual involved. We are also reaching out to patients who may have been affected and taking every necessary step to prevent anything like this from happening again.”