Hawaii Pacific Health Data Breach (2020)

Honolulu-based Hawaii Pacific Health has fired an employee after discovering the employee had inappropriately accessed patient medical records. The employee worked at Straub Medical Center. The health system found that the employee had wrongfully accessed patient records between November 2014 and January 2020. According to HHS’ Office for Civil Rights data breach portal, 3,772 patients may have been affected. Hawaii Pacific Health does not believe the former employee was accessing the information for the purpose of identity theft. Rather, they believe the employee was acting out of curiosity. Nonetheless, Hawaii Pacific Health is offering the affected patients one year of free credit monitoring and identity restoration services. Patient data that may have been exposed included names, addresses, phone numbers, email addresses, dates of birth, religion, race/ethnicity, Social Security numbers, medical record numbers, primary care providers, dates of services, appointment notes, hospital account numbers, department names, provider names, account numbers and health plan names. Since the incident, Hawaii Pacific Health has reviewed its internal procedures and staff training. The health system is also looking to invest in different technologies. Hawaii Pacific Health has discovered an employee of Straub Medical Center in Honolulu has been snooping on the medical records of patients over a period of more than 5 years. Hawaii Pacific Health discovered the unauthorized access on January 17, 2020 and launched an investigation. An analysis of access logs revealed the employee first started viewing patient records in November 2014 and continued to do so undetected until January 2020. During that time, the employee viewed the medical records of 3,772 patients. After concluding the investigation, the employee was terminated. Affected patients had received treatment at Straub Medical Center, Kapiolani Medical Center for Women & Children, Pali Momi Medical Center, or Wilcox Medical Center. The types of information that the employee could have viewed included patients’ first and last names, telephone numbers, addresses, email addresses, dates of birth, race/ethnicity, religion, medical record numbers, primary care provider information, dates of service, appointment types and related notes, hospital account numbers, department name, provider names, guarantor names and account numbers, health plan names, and Social Security numbers. The reason for accessing the records was not determined, but Hawaii Pacific Health believes it was out of curiosity rather than to obtain sensitive information for malicious purposes. However, data theft could not be ruled out. All patients whose records were accessed by the employee were notified by mail on March 17, 2020 and were offered one year of free credit monitoring and identity restoration services. Hawaii Pacific Health is reviewing and updating its internal procedures and will be providing further training on patient privacy. The health system is also investigating new technologies that can be implemented to identify unauthorized medical record access and anomalous employee behavior access more rapidly.