Kettering Health Network Data Breach (2014)

When you go to the hospital you expect your private health information to be kept private. But 2 NEWS Investigates uncovered a lawsuit by two local women that alleges they repeatedly had the privacy of their health information violated by employees at Kettering Health Network, also known as Kettering Adventist Healthcare. Every time you see a new doctor you probably sign a notice of privacy practices. Its part of a national law called HIPAA. Its meant to keep things like your visits to the doctor and even your billing information from getting into the wrong hands. But Kettering Health Network and its former employee are being sued accused of not following that law. Vicki Sheldon and her daughter Haley say they feel violated. I dont know if I could feel anymore violated then if I had just been stripped down naked and walked in front of every executive in Kettering, said Vicki. They claim Kettering Health Network employees wrongfully accessed their health information. Vicki said Kettering first alerted her to the violation. According to Vicki, Kettering told her that her ex-husband, Duane Sheldon who worked in the Administration Department at Kettering, had inappropriately looked at her records. I received some reports directly from Kettering, from their system. Quite frankly when I got them I was very disturbed by the number of people who had no reason to be in my records had been in my records apparently just whenever they felt like looking. Vicki said that report showed her records were looked at again and again for 15 months by people who she says had nothing to do with her care. Both women believe Kettering Health Network did not have the appropriate procedures in place to protect their private records. Theyre suing both Kettering Health Network and Duane Sheldon for invasion of privacy and negligence. Duane Sheldons attorney told me hes declining an interview but provided a brief statement that says in part, much of the Plaintiffs Complaint is inaccurate and personally inflammatory. According to his attorney, Duane Sheldon no longer works for Kettering Health Network. Kettering declined to comment directly about the lawsuit. But regardless of the legal side of things, 2 NEWS Investigates wanted to know how safe your information really is and if there was in fact a breach at a health network that serves thousands of people in the Miami Valley. The Director of Compliance Program, Megan Brickner who oversees patient protection agreed to answer questions. Natalie: Was there a HIPAA violation at this network by employees? Brickner: I cannot comment to that in particular, but I can say again we have this Protect program that we are continuously looking at the risk landscape and if we see something we need to address then we do so, Brickner said not every employee has access to every part of a patients record. The access they get is based on their job title. She also said Kettering has a system in place that notifies them if a patients record was accessed by the wrong person. There are reports that get ran. We also have a third party come in every year looking at our IT infrastructure, she said. Brickner wouldnt go into detail about the types of reports that are run or disclose the latest results of them. But she does say if your records were looked at inappropriately its required by law to let you know. Natalie: Should patients be worried about their medical information? Brickner: To be honest with you, I think everyone needs to always be vigilant. I think its very important to be your own advocate. Natalie: Are you running those reports and is everything working? Brickner: Yes. Everything is working. I will tell you how well its working. We do have a commitment to protecting patient privacy and securing their information. Vicki said those answers are not enough. I would hate for anybody to have to go through this. Its humiliating. Its degrading. It takes away your power, said Vicki Sheldon. According to public court documents Duane Sheldon and Kettering are asking that the lawsuit be dismissed, arguing that individuals cant sue over HIPAA violations. 2 NEWS Investigates went to the top legal expert in the state to find out. My understanding of the law is that individuals do not have the right to sue under the HIPAA law but what they could do is file under a tort law of common law that exists in every state and file an action under that, Ohio Attorney General Mike DeWine. DeWine said a states attorney general and the US Department of Health and Human Services are the ones who can take legal action when someone believes their health information was violated. Vicki and Haleys attorney said the government is overburdened and this case is about more than HIPAA violations. Its about an invasion of privacy. Its a new and emerging area of the law therefore in Ohio, this type of breach doesnt have a lot of case law behind it, but there are other states notably Indiana and California where theres been significant privacy violations, said Vicki and Haleys attorney, Rob Croskery. According to the US Department of Health and Human Services, you have the right to see and get a copy of your health records and who has looked at them. All you need to do is ask your hospital for them. In most cases they have up to 30 days to provide the copy.