HIPAA Violations in Michigan and Illinois Lead to Healthcare Workers Being Fired

A staff member at Ann & Robert H. Lurie Children’s Hospital of Chicago has been fired accessing the medical records of patients without the appropriate authorization over a period of 15 months.

The privacy violations were discovered when, after reviewing access logs, the hospital found that a staff member had viewed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The range of data viewed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. However, no health insurance information, financial information, or Social Security numbers were impacted.

There was no explanation offered as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or shared the information with anyone else. The hospital said the individual is no longer employed at the hospital.

This is not the first time something like this has happened at Lurie Children’s Hospital. A similar incident was identified during November 2019, when the hospital became aware that a former employee accessed the medical records of patients without permission between September 2018 and September 2019.

Meanwhile, Mercy Health has also fired an employee for alleged breaches of the HIPAA Privacy Rule. A nurse employed at Hackley Hospital in Muskegon, MI was terminated from her position on April 3, 2020. The termination came not long after the nurse raised concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic and how the alleged lack of preparedness put safety at risk. The nurse got in touch with the Michigan Nurses Association Labor Union, which claimed that Mercy Health fired the nurse for speaking out. The Labor Union also submitted a charge with the National Labor Relations Board.

The Labor Union shared a press release on April 21 which said: “Howe’s termination came on the evening of April 3, days after he had publicly raised concerns about lack of appropriate PPE and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic”.

10 days after the nurse was fired, and one day after the press release was published by the Labor Union, Mercy Health released a press release of its own stating the nurse was fired for multiple breaches of HIPAA Rules. Mercy Health said it does not typically share details about employment matters related to its workers but was compelled to speak out due to the “misinformation campaign” led by the Labor Union.

Mercy Health alleges that the fired nurse, Justin Howe, was terminated for accessing the medical records of multiple patients over a number days. The records were not those of patients receiving treatment at the campus where the nurse worked and there was no genuine work reason for accessing those records. Mercy Health claims that Howe was not the only nurse terminated for inappropriate medical record access.

Mercy Health’s press release said: “We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe along with others were terminated for the same. This investigative effort is still in process.”

Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for NetSec.news. Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: https://twitter.com/ElizabethHzone