◆ Pennsylvania-based Geisinger Health System said it experienced a breach impacting more than 1.27 million patients when a former employee of vendor Nuance Communications Inc., a Microsoft Corp. subsidiary, accessed patient information two days after he was terminated.[1] The breach was discovered on Nov. 29, but law enforcement asked Nuance to delay notifying patients, Geisinger said. The former Nuance employee was arrested and is facing federal charges. “Through its investigation, Nuance determined that the former employee may have accessed and taken information pertaining to more than one million Geisinger patients,” the health system said. “The information varied by patient but could have included names in combination with one or more of the following: date of birth, address, admit and discharge or transfer code, medical record number, race, gender, phone number, and facility name abbreviation. No claims or insurance information, credit card or bank account numbers, other financial information, or Social Security numbers were inappropriately accessed by the company’s former employee.”
◆ An emergency room physician who illegally obtained the personal health information of two individuals and shared a sensitive photo involving one of them pleaded guilty to one count of violating HIPAA in federal court in Cedar Rapids, Iowa. Gabriel Alejandro Hernandez Roman, M.D., admitted to using his access as a resident in hospitals in Cedar Rapids and Iowa City to access medical records under false pretenses. “Dr. Hernandez Roman also admitted that, in January 2022, he sent a photograph of one of Hospital-1’s patients to another individual via SnapChat,” the U.S. Attorney’s Office for the Northern District of Iowa said. “The photograph showed the patient in a hospital setting, wearing a gown, with the patient’s rectum clearly hanging out of the body. Dr. Hernandez Roman had no legitimate medical purpose for taking this photograph or, further, for sending it via SnapChat to the individual.” Hernandez Roman also admitted that he mailed a letter in June 2023 to the Iowa Board of Medicine in which he admitted to accessing confidential medical records and sharing the photograph. In his plea agreement, Hernandez Roman admitted he falsely wrote in that letter that he had sent the photograph of the prolapsed rectum to his mother to remind her of the importance of fiber intake. Hernandez Roman faces up to five years in prison and up to $250,000 in fines.[2]