BEND, Ore. - (Update: Adding video; comments by DA, hospital on St. Charles not notifying local police initially)
Deschutes County District Attorney John Hummel filed criminal charges Tuesday against a Prineville woman for illegally accessing scores of electronic patient records in the St. Charles Health System.
Dawnielle Vaca, 35, while employed as a certified nursing assistant at St. Charles Bend, "viewed thousands of patient records that she was unauthorized to view," Hummel said in a news release.
Vaca faces two counts of computer crime for accessing the St. Charles computer system to view the records, Hummel said. She has not been arrested, and instead was sent a letter to appear in court later this month, the DA told NewsChannel 21.
"Vaca did not have a financial motive to access the records," Hummel wrote, "and there is no evidence that any patient suffered financial harm as a result of this privacy breach." Rather, he said, "Vaca viewed the records because she was curious."
Under Oregon law, computer crime can be a Class C felony or Class A misdemeanor. In this case, based on Hummel's findings, the charges are misdemeanors. It is a "felony if done with a financial or malicious intent, otherwise a misdemeanor," the DA said.
Still. Hummel said the allegations are serious in nature and affected many people.
“Patients share intimate details of their lives with their medical providers, including mental health struggles, relationship problems, medication use, and embarrassing medical conditions,” Hummel said.
“We expect, and should demand, that these private matters will remain private," the DA added. "Oregon law makes it a crime to violate the privacy of patients, and I will never hesitate to hold accountable those who do.”
The alleged illegal patient-records access occurred between October and January, and was revealed by the hospital in March St. Charles told affected patients by letter that the then-unnamed caregiver had been fired and that the hospital system had implemented added security measures to reduce the risk of a similar incident in the future.
Hummel said he found out about the data breach through a media report, which forced him to launch his own investigation.
NewsChannel 21 asked St. Charles spokeswoman Lisa Goodman why administrators didn't notify local law enforcement.
Goodman said the following via email:.
"We hired a law fire to help carry out our notification duties to affected patients, the news media, the state attorney general and the secretary of the Department of Health and Human Services. Oregon's notification statute does not require that we alert local law enforcement."
Goodman also said St. Charles Bend has implemented changes that will help the administration to identify inappropriate access of patients' medical records.
The hospital also has updated its auditing platform and offered to those patients affected credit monitoring and identity restoration services, and information to protect their identity.
Hummel said once he began a legal review of the matter, St. Charles Health System cooperated with his office and police detectives. He added that Bend police "conducted a top-notch investigation."
Vaca's first court hearing is scheduled for Thursday, July 27 at 1:15 p.m.