Security Breaches

PHI Exposed by Job-Sharing Employee

By Daniel Lopez

TapestryHealth based in Connecticut is technology solutions provider to post-acute and assisted living establishments. It discovered unauthorized access to its patient records, which may be a potential HIPAA breach, on or about November 3, 2025. The suspect is an employee who may be job sharing. His access to patient records was terminated as an investigation is in progress.

Job sharing means a person gets a position in a company, but delegates some or all of the required tasks to other persons. Though a business associate can ask subcontractors to fulfill some aspects of its job, the subcontractor is classified as a business associate and should enter into a business associate agreement (BBA), which is covered by the HIPAA Regulations. In this instance, the job sharing was not authorized, violated TapestryHealth’s employment and privacy guidelines, and might have happened throughout the employment period from November 6, 2024 to November 3, 2025. As soon as confirmed, the employee’s contract was ended.

TapestryHealth stated that there might have been unauthorized access to these types of protected health information (PHI): last name, facility details (name, admission date, room number), medical record number, name(s) of providers, vitals, immunizations, diagnosis and treatment data, prescription drugs, and/or care plan goals and progress records. The incident did not affect financial data, Social Security numbers, medical insurance data, and government/driver’s license IDs.

Besides ending the employee’s contract, TapestryHealth implemented extra security steps to avoid the same incidents later on, such as restricting PHI that is accessible to employees. There is no evidence found that suggest the misuse of any information. Nevertheless, as a safety measure, the impacted persons were provided free credit monitoring and identity theft protection services for one year.

Sentara Health reported a similar incident at the beginning of 2025, which involved three remote employees engaging in job sharing. The PHI of about 14,898 patients were impermissibly disclosed to unauthorized individuals.

Image credit: peopleimages.com, Adobestock / logo©TapestryHealth

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

Breached PHI of About 93,000 Patients Because of NS Support Cyberattack

Asheville Arthritis and Osteoporosis Center Settles Data Breach Lawsuit for $500,000