I read with dismay yet another instance of a security breach of a provider’s electronic health record system at the hands of healthcare staff who intentionally accessed patient data for personal gain.
This time, it was a doctor and an office manager of Sight and Sun Eyeworks Gulf Breeze in Gulf Breeze, Fla., who allegedly copied all or parts of the optometry practice’s EHR system, quit their jobs with no notice, moved to a competitor, and used the patient information to market their new employer’s services, in some cases going into Sight and Sun’s EHR system to change appointments to the new employer. Sight and Sun has notified 9,000 patients about the unauthorized access, according to the Pensacola News Journal.
This is the dark side of EHRs; such tools are at their most vulnerable when people patients entrust with their confidential information–who presumably are trained about HIPAA–take advantage of these systems, wreaking havoc in their wake.
Had these been paper records, the damage would have been less extensive. Sure, patient information still could have been stolen, but the former employees would not have been able to electronically override the scheduling information and change appointments. They also likely would not have been able to access so many records.
Sight and Sun has filed a lawsuit against the two employees–Suzanne M. Day, M.D., and Lynette Bramlett–seeking return of the data and to stop them from using it. Day and Bramlett deny wrongdoing.
This situation is bad all round, no matter how you slice it.
Sight and Sun already has suffered from the security breach, incurring the cost and negative publicity of notifying the 9,000 patients. By improperly accessing and changing appointment information, Day and Bramlett may have compromised the patient records. Other data may have been compromised, as well. Even if the practice had been complying with HIPAA (and there appears to be some evidence to that effect), Sight and Sun still may be subject to lawsuits by patients and government investigation.
The new employer also could be in legal trouble, if it knew or supported the cybercrime. And even if it didn’t, wouldn’t it behoove the practice, receiving this influx of new patients, to at least question the new employees’ methods? Who’s supervising these people? This office also can be sued by patients for privacy violations, and investigated by the government.
If the accusations are true, Day and Bramlett may very well end up in major legal trouble for their efforts, and there’s precedent for that. Last year, Eric McNeal, a former employee of a physician’s office who pulled a similar stunt on behalf of his new employer, was sentenced to 13 months in prison, plus community service. Is the potential financial benefit in misusing records really worth that kind of cost?
The real victims, of course, are the patients, whose confidential information–including their Social Society numbers–now reside in the possession of people the patients don’t even know, exposing them to potential identity theft and the less-than-savory world of healthcare backstabbing. The patients have been reduced to nothing but dollars. They’re just a commodity.
No wonder patients mistrust EHRs.
I hope that the government pursues a thorough investigation here. And if the government finds wrongdoing, it should show no mercy.
