Vitalii Gulenok/istock via Getty

Ohio Hospital HIPAA Violation Goes Unnoticed for Over a Decade

An employee of Aultman Health Foundation in Ohio accessed more than 7,000 EHRs over the past 12 years and was terminated for committing a HIPAA violation.

Aultman Health Foundation in Ohio announced the termination of an unnamed employee who committed a HIPAA violation that put patient EHRs and personally identifiable information (PII) at risk. For over a decade, the employee inappropriately accessed over 7,000 patient records.

Although the employee had access to EHRs as part of their job, Aultman discovered that the worker was accessing patient records unrelated to their work. Names, birthdates, health insurance information, Social Security numbers, addresses, and diagnosis and treatment information were viewed without authorization.

The privacy breach went undetected for over a decade, as the employee consistently accessed records outside of their job scope between 2009 and 2021. The worker was not a clinician but did have a role in coordinating patient care. In a statement obtained by The Daily Record, the hospital system confirmed that the employee was terminated.

"Upon discovering this, the employee’s access to Aultman’s electronic health record system was suspended, and an investigation was conducted to determine the nature and scope of the incident," Aultman stated.

The employee is not facing any criminal charges for the HIPAA violation, and as of now there is no evidence that the EHRs were misused or distributed. Aultman began sending letters to the 7,300 impacted patients to notify them of the breach.

"To help prevent something like this from happening again, Aultman has provided additional training to its system users and is implementing additional measures to protect the information of its patients," the statement continued.

Aultman will provide free identity theft protection and credit monitoring to impacted patients, and the organization recommends that patients look closely at their insurance statements to make sure that only received services are listed.

Aultman was also the victim of a 2018 phishing attack that impacted over 43,000 patients.

Next Steps

Dig Deeper on HIPAA compliance and regulation