TODAY'S PAPER
Good Morning
Good Morning
Business

Huntington Hospital notifies 13,000 patients about 2018-2019 data breach

Huntington Hospital says patient records were accessed without

Huntington Hospital says patient records were accessed without authorization by a since-fired employee.  Credit: Newsday/J. Conrad Williams Jr.

Huntington Hospital has notified some 13,000 patients about a data breach involving unauthorized access to confidential patient information.

A night shift employee improperly gained access to electronic medical patient records in violation of its policies, said New Hyde Park-based Northwell Health, which owns the hospital. The employee has since been fired and charged with criminal violation of the federal law protecting patient confidentiality, the Health Insurance Portability and Accountability Act, Northwell said.

The breached information may have included names, dates of birth, telephone numbers and addresses, as well as clinical information such as diagnoses and medications, Northwell said. There is no indication the former employee accessed Social Security numbers, insurance information, credit card numbers or other financial data.

The hospital determined in February 2019 after an investigation that the since-terminated employee had been accessing patient information without authorization since October 2018, and it immediately suspended the worker, Northwell said. The hospital notified law enforcement officials about the breach, and followed their instructions to delay notifying patients until this month, Northwell said.

The hospital has increased its controls on access to patient information and retrained staff about protecting patient confidentiality, Northwell said.

In a statement, the health system said, "Huntington Hospital takes its responsibility to safeguard patient information very seriously. The hospital regrets the unauthorized actions of a since terminated former employee, and it continues to take steps to prevent an incident like this from recurring."

A spokesman for the health system declined to comment further, citing the criminal investigation.

It could not be determined on Monday whether the former employee actually accessed the records of all 13,000 patients who were notified about the breach, or only some of them.

It also was not clear why the former employee accessed the records and what, if anything, was done with the confidential information. Law enforcement and regulatory agencies did not disclose any information about the identity of the former employee, details about the allegations or the status of the case on Monday.

The hospital is offering all patients impacted by the breach at least one year of identity theft protection services at no cost. Northwell is in the process of notifying regulatory agencies, including the U.S. Department of Health and Human Services, a spokesman said.

More news