NYC Health & Hospitals Corp. posted a notice this week that suggests that rogue employee may make been selling PHI to law firms or clinics that specialize in motor vehicle accident patients. Of note, this notice does not specify any one hospital where the employee worked. Did the employee have access to all patients’ data across all hospitals in the network? How did the hospital hear of this — who told them and how did that person know? And will they even live able to sort out how many patients may be impacted? Do/did they have good access logs in 2016? And can they mold for every access whether the employee had a legitimate reason to access the patient’s file? This looks to be a costly and time-consuming mess. h/t, Becker’s hospital review mark of Possible Unauthorized Disclosure of Protected health Information Dec 02, 2019 On october 3, 2019, NYC Health + Hospitals was notified that of some of its patients protected health information (PHI) had been inappropriately disclosed by an employee of NYC Health + Hospitals, between 2016 and November 2019. The disclosed PHI included patients names, telephone numbers, and the fact that they had been involved in motor vehicle accidents. An investigation of the incident is ongoing, and appropriate discipline of the employee is being pursued. If you were involved in a motor vehicle accident between 2016 and november 2019, and, as a result, were treated at a NYC health + Hospitals hospital, your PHI may experience been included in this unauthorized disclosure. For more information, please telephone (877) 514-0832.