An employee of the emergency unit in Brooklyn’s Kings County Hospital has been charged with stealing protected health information (PHI) of at least 100 patients and disclosing that information to a third party using an encrypted smartphone application.
Orlando Jemmott, 52, worked for 12 years at Kings County Hospital. From March 2006 to April 2018, he had access to the health records of patients to perform his duties, which entailed entering patient data into the hospital’s system and confirming symptoms. The patient information he had access to included demographic data and details of the patients’ symptoms and health problems.
In June 2017, a woman gave the FBI a tip that Jemmott was stealing of patient data and selling it to another person. The woman reported that Jemmott was using the WhatsApp encrypted messaging application to send the stolen data. The woman obtained Jemmott’s cellular phone and gave it to the FBI together with a picture from his WhatsApp profile. The FBI obtained a warrant to search Jemmott’s phone and discovered numerous communications between Jemmott and Ron Pruitt, a man from Pennsylvania.
The communications contained the names and phone numbers of over 180 individuals. These messages were sent between December 2014 and April 2015. According to court documents, the identities of 100 persons were confirmed. Brooklyn’s Kings County hospital also confirmed that 98 of those individuals were patients of the hospital. The hospital additionally confirmed that 88 of the 98 patient records were accessed without authorization.
The woman tipster additionally gave the FBI paper copies of health data which had been printed out between December 2016 and June 2017. The hospital confirmed that the PHI of 49 persons contained in the printouts was acquired from its electronic health record system.
In February 2018, Jemmott was arrested. In April, he was terminated by the hospital but was released on an $80,000 bond. The FBI also arrested Pruitt in early September and both are negotiating plea bargains. It is currently unclear what the PHI was used for and if it has been misused.
HIPAA requires covered entities to record PHI access logs and review them regularly for signs of illegal access. It is a major challenge to prevent unauthorized PHI access by healthcare employees, however, regular checks of access logs will ensure that breaches are identified quickly and harm to patients will be minimized. Even so, many healthcare organizations fail to check the logs regularly. There have been several cases uncovered where healthcare employees have been found to have accessed patients health records without authorization for several years before the HIPAA violations were detected.