Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?

A criminal investigation of a HIPAA compliance breach is launched when health data are stolen for malicious purposes, but what about cases involving curious employees?

Healthcare data breaches are often discovered during routine audits of ePHI access logs. Healthcare providers discover that rogue employees have accessed patients’ data with no legitimate work reason for doing so. In such cases, the employees are disciplined and often lose their jobs as a result, but should the matter be reported to law enforcement if a healthcare provider is satisfied that the actions of employees were not malicious, just misguided?

One incident came to light this week where a healthcare organization discovered an employee had been accessing the medical records of patients without authorization. The incident was reported to the appropriate state and federal regulators and the employee was disciplined, but the incident was not reported to law enforcement.

The district attorney became aware of the breach and criticized the healthcare provider for not reporting the matter to law enforcement. A criminal investigation of a HIPAA breach must take place, according to the Deschutes County District Attorney John Hummel, and certainly for a breach of this magnitude.

On January 16, 2017, Oregon-based St. Charles Health System discovered the employee had been accessing the medical records of patients without authorization and had been doing so for a period of around three years. The investigation revealed that medical records were first accessed On October 8, 2014 and access continued until January 2017 when the HIPAA breach was discovered.

The employee was questioned and St. Charles Health was satisfied that the records were accessed out of curiosity. An affidavit was signed by the employee in which she said she had not accessed the records in order to commit identity theft and that records were accessed out of medical curiosity. Over the course of those three years, the records of 2,500 patients were improperly accessed.

Hummel released a statement about the incident saying, “I was dismayed to learn via media reports that apparently, a St. Charles employee impermissibly accessed records of thousands of patients.” Hummel went on to say, “An alleged breach of this magnitude should have been reported to local police so that a proper criminal investigation could be conducted – as far as I’m aware this did not happen.”

A criminal investigation of the HIPAA breach will now take place, and if law enforcement or the DA discovers laws have been broken, the employee will be charged.

The criminal investigation of a HIPAA breach should be left to law enforcement according to Hummel. He told NewsChannel 21, “Just like I don’t diagnose a patient’s health condition, a medical professional shouldn’t try to determine whether a crime was committed…That job is left to police officers, district attorneys, grand juries, judges and juries in the courtroom.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of