State inadvertently publishes PHI on web; apologizes


A website of the North Carolina Department of Health and Human Services (DHHS) that is intended to provide transparency regarding how government moneys are spent got a little too transparent recently when it displayed sensitive information belonging to more than 1,300 health care patients.  DHHS inadvertently published PHI (protected health information), including patients’ names, addresses and payment amounts on NC Openbook, a state website designed to provide transparency for payments made to government vendors and contractors. Some of the information was especially sensitive, since it involved patients receiving mental health treatments. DHHS has issued an apology and sent notification letters to all of those affected. In addition, the agency notified the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS), as required by the HIPAA Breach Notification rules. As a result, this breach will appear on HHS’s “Wall of Shame” ( where the HITECH Act requires all breaches affecting more than 500 individuals to be posted.

Unlike so many breaches caused by the accidental loss of a thumb drive or laptop, this breach demonstrates the need for ongoing training of employees who deal with PHI. Training is not just for new employees of an organization. It has to be an integral, ongoing part of every organization’s policies and procedures to avoid the kind of breach described here.

To see the WSOC TV story on this, click on:


Prison sentence for hospital employee who breached patient privacy

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA.  According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).