Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the same hospital, was frustrated by the hospital administration’s delays in responding to her complaints and notified others including the FBI, her state senator and the American Civil Liberties Union before action was taken.

The Rutland, VT Herald reports that Kathy Tatro of Bennington, VT pleaded guilty to four counts of unauthorized access to computer records in a plea bargain that imposed probation and required her to serve 160 hours of community service, which will include talking to medical employees about the importance of privacy regarding patient records. The Bennington Banner reports that Ms. Tatro was given a 6-12 month suspended sentence, 2 years probation and a $2,000 fine.

This blog has noted other instances of snooping leading to serious consequences, including the case of a UCLA researcher sentenced to prison time for reading records of celebrities and co-workers, a Texas nurse fired for unauthorized access, a California hospital fined after employees accessed Michael Jackson’s records, a New York hospital that suspended employees for accessing George Clooney’s records after a motorcycle accident, and the termination of 16 hospital employees for accessing the records of an injured first-year resident.

The Vermont ACLU claims that this incident is “believed to be the most extensive breach of personal electronic medical records ever reported in Vermont.” The ACLU noted that the victim had explained in court how the system let her down.

“No investigation was begun nor any remedial action taken until she spoke up, complained, and dogged doctors, hospital administrators and trustees, state officials, federal officials, police officers, and the state’s attorney to do something. The privacy protections in place don’t work on their own; you have to fight to protect your rights.”

Based on reports, it appears this case was brought solely under state privacy laws, not HIPAA. It is not clear whether the Vermont Attorney General was involved, even though it seems that the victim alerted a variety of authorities.  

This case is yet another cautionary tale that should be considered by anyone in a position to access health records without a legitimate purpose, as well as by hospitals and other covered entities who should reevaluate the safeguards they have in place to track and prevent or at least discourage unauthorized access. 

 As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information ("PHI") have been bringing to light new breaches of PHI security and direct intervention by state attorneys general with respect to such breaches.

The enactment of HITECH gave state attorneys general the ability to enforce PHI security breaches under HIPAA for the first time in federal district court as parens patriae (on behalf of state residents) if they believe their residents are threatened or adversely affected by HIPAA violations. Nothing in HIPAA/HITECH prevents a state attorney general from exercising powers under state law respecting alleged PHI security breaches.

Earlier blog postings reported on (i) a settlement by the Attorney General of Connecticut (the "Connecticut Settlement") of a lawsuit brought under HIPAA/HITECH for $250,000 against Health Net, Inc., and (ii) more recently, a lawsuit filed under Indiana state law for $300,000 against Wellpoint, Inc. by the Attorney General of Indiana (collectively, the "Earlier Actions").

On January 18, 2011, Attorney General William Sorrell of Vermont and his office (collectively, the "Vermont Attorney General") announced in a press release (the "Press Release") that it had settled a lawsuit (the "Vermont Action"), by means of a consent decree which requires court approval, against Health Net, Inc., and Health Net of the Northeast, Inc. (collectively, "Health Net"). The Vermont Action involves a number of the same issues to which the Connecticut Settlement against Health Net related, including an alleged failure to promptly notify consumers endangered by the breach.


The settlement in the Vermont Action (the "Vermont Settlement") would require Health Net to pay $55,000 to Vermont, submit to a data-security audit, and file reports with Vermont regarding information security programs for the next two years. Presumably the lower settlement amount in Vermont is attributable to the fact that, as the Press Release stated, 525 Vermonters were affected by the alleged PHI security breach, which may be contrasted to nearly 500,000 Connecticut enrollees alleged to have been affected by the Connecticut Settlement.

Significantly, the Vermont Action, which was filed in the U.S. District Court for the District of Vermont, was, unlike the Earlier Actions, brought under both federal and state law in one lawsuit that invoked HIPAA/HITECH, as well as the Vermont Security Breach Notice and Consumer Fraud Acts. The Press Release stated that the Vermont Settlement is "Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009."

So far, state attorneys general have limited their enforcement activity under HIPAA/HITECH to cases where alleged unreasonable and lengthy delays in notifying affected individuals by insurers were present. Insurers may be attractive targets because they are often perceived by the public to be large, highly profitable and relatively faceless entities. It will be interesting to see when the first lawsuit is filed by an attorney general against a provider, such as a physician practice group or community hospital, and what will be the basis for such a lawsuit.

In any event, it can be expected that other attorneys general around the country will heighten their investigations of PHI security breaches and seek civil monetary payments under HIPAA/HITECH and/or state law. Perhaps more will even be heard from attorneys general who believe that citizens of their respective states have been affected by the alleged Health Net and/or Wellpoint PHI security breaches.


Prompt, decisive and positive action is required of providers, as well as insurers, to limit potential damages, rehabilitate relations with clients and the public and reduce the likelihood of litigation and penalties.