BEND, Ore. - (Update: DA announces criminal investigation; hospital responds, also warns of scam call follow-up)
Deschutes County District Attorney John Hummel announced Friday he is launching a criminal investigation into the apparent privacy breach of nearly 2,500 patient records at St. Charles Health System. The hospital defended not contacting local police and said there was no indication the caregiver involved intended to commit a crime.
"I was dismayed to learn via media reports that apparently a St. Charles employee impermissibly accessed records of thousands of patients," Hummel said. "An alleged breach of this magnitude should have been reported to local police so that a proper criminal investigation could be conducted -- as far as I'm aware, this did not happen."
Hummel said he will work with local law enforcement to ensure that all relevant facts are detected, then "conduct a legal analysis to determine if any criminal laws were violated."
"At the conclusion of the investigation Hummel will announce his findings, and if warranted, file criminal charges," the DA's brief announcement said.
St. Charles Health System issued this response to Hummel's statement Friday afternoon:
"Federal and state notification laws prescribe the notification process for a privacy violation. We notified our affected patients, the Secretary of the Department of Health and Human Services, the state attorney general and the news media pursuant to those laws.
"We have no indication that the caregiver involved is intending to use our patients' information to commit a crime. Nevertheless, we've offered affected patients the option of credit monitoring and identity restoration services because we think it is the right thing to do.
"We are deeply sorry this incident occurred. Although District Attorney Hummel has yet to contact us, we are available to answer his questions at any time."
While the hospital said it appears no crime was committed, the DA said that's not their call to make.
"Just like I don't diagnose a patient's health condition, a medical professional shouldn't try to determine whether a crime was committed," Hummel told NewsChannel 21. "That job is left to police officers, district attorneys, grand juries, judges and juries in the courtroom."
Hospital spokeswoman Lisa Goodman also said a St. Charles patient reported getting a phone call from someone purporting to be with the health system and offering to help protect their information.
St. Charles is making no such calls, Goodman said, notifying possible victims by letter. If you get such a call, don't provide any personal information to the caller, she said, and contact police.
The health system announced Thursday it had discovered that a caregiver has accessed nearly 2,500 patients’ electronic medical records without authorization.
"The caregiver said in an interview that she looked at the files out of curiosity," the organization's announcement stated.
St. Charles Director of Communications and Marketing Kayley Mendenhall would not identify the worker or her location when asked by NewsChannel 21, instead noting by email that which facility she worked at “isn't relevant because our electronic medical record is integrated and covers all facilities."
NewsChannel 21's Pedro Quintana sat down with St. Charles Vice President of Compliance Nicole Hough on Thursday. She said administrators launched an investigation as soon as they discovered the violation.
"We went back on our initial review, we found indications that she was looking at (the records of) patients who were not hers, that she did not provide direct care for," Hough said. "And that is why we went back and looked at a full review of all of the medical records she had accessed."
Hough said the caregiver did admit that she looked at the electronic medical records because she was interested in the medical cases.
"She did tell us, when we interviewed her, that she was curious, and that is why she looked at the records," she said.
Hough said the caregiver did not explain during the interview on what she was doing with those records.
Administrators would not comment if the caregiver was still employed with St. Charles.
"We completed a thorough review of all records this caregiver had accessed as part of our investigation," Mendenhall said, then "took swift and appropriate disciplinary action,” declining to be more specific.
The caregiver has since signed an affidavit stating that she has never used or shared any of the confidential patient information for the purpose of committing fraud, financial crimes or other crimes against the patients whose records were among those she viewed.
Becky Robinson was receiving medical care at St. Charles Bend during the time when the female caregiver was accessing medical records. Now she is concerned her personal information could have been stolen.
Robinson also said she isn't convinced the caregiver was simply curious about medical information.
"What I can't understand is having the time to search that program out of curiosity, why do they have that kind of time if they're at work," she said.
Here;'s the rest of St. Charles' news release:
On Jan. 16, the health system launched an investigation and conducted an audit of all of the patient files accessed by the caregiver.
The audit revealed that between Oct. 8, 2014 and Jan. 16, 2017, the caregiver may have reviewed as many as 2,459 files containing patients’ names, addresses, dates of birth, health insurance information, driver’s license numbers and health information such as diagnoses, physicians’ names, medications and treatment information.
“We sincerely apologize to our patients who may have been affected by this incident,” said Nicole Hough, vice president of compliance. “We want to provide them with the information they need to understand what happened and what they can do to guard against possible fraud.”
The health system mailed a letter Thursday to those patients who are impacted. The letter includes an explanation of the incident and an offer of credit monitoring and identity restoration services, as well as additional information about how individuals can protect themselves.
St. Charles said it is also in the process of notifying state and federal regulators about the incident.
“St. Charles takes the privacy and security of our patients’ personal health information very seriously. We regard the protection of all patient information as part of our commitment to providing excellent care,” Hough said. “The health system is doing everything possible to prevent a similar privacy breach from occurring in the future, including implementing additional medical record audits.”
Individuals are encouraged to remain vigilant against incidents of identity theft and fraud, to review their account statements and to monitor their credit reports for suspicious activity. A confidential call center has also been established to answer questions about this incident. The call center phone number is 1-855-836-0069 and is available Monday through Saturday, 9 a.m. to 9 p.m. EST.
About St. Charles Health System
St. Charles Health System, Inc., headquartered in Bend, Ore., owns and operates St. Charles Bend, Madras, Prineville and Redmond. It also owns family care clinics in Bend, Madras, Prineville, Redmond and Sisters. St. Charles is a private, not-for-profit Oregon corporation and is the largest employer in Central Oregon with more than 4,200 caregivers. In addition, there are more than 350 active medical staff members and nearly 200 visiting medical staff members who partner with the health system to provide a wide range of care and service to our communities.