Lowell General Hospital Employee Accessed Medical Records Without Proper Authorization

Medical Records

The health data records of 769 patients at the Lowell General Hospital in Massachusetts were accessed by an unauthorized hospital employee. Because he accessed the records of patients, he violated hospital policies and the privacy of patients. When the management discovered the breach and confirmed it with their investigation, the employee was terminated from work. Thankfully, the breach involved only one person and it was not a serious problem.

The hospital has already notified the patients impacted by the data breach. The patients had been informed that information such as names, birth dates, medical diagnoses and treatment information were accessed by the former employee. The employee did not access any financial information, Social Security numbers or health insurance details. As such, there’s no evidence that the accessed information had been misused. People who want to know more information about the breach can visit the hospital website to read the breach notice

Staff and employees of Lowell General Hospital generally undergo HIPAA training and receive instruction regarding hospital policies. They know that access of medical records without a legitimate reason is not allowed. Because of the breach incident, the hospital conducted a review of its privacy and security policies to ensure that employees abide by the rules and snooping is identified immediately.

There is a question as to the length of time the employee was able to access the medical records before being caught. It must have been going on for several months because of the huge number of employees impacted.

HIPAA Rules require covered entities and business associates to monitor PHI access logs for unauthorized access regularly. There’s no strict meaning attached to “regularly,” but it is best to have ongoing audits of the access logs to identify suspicious activity immediately.

Audits may be done manually but it is less burdensome with the implementation of automated solutions. There are tools that work based on rules or behavior. Rule-based tools require the setting of rules, which when violated will trigger alerts. Behavior-based tools study normal system access and will only trigger alerts when anomalies occur. Adopting automated solutions can better pinpoint suspicious activity and catch employees snooping on medical records.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/