University of California Irvine Medical Center is notifying nearly 5,000 patients that an employee inappropriately viewed their health records.
The employee's job required the employee to access patient records, but hospital officials discovered the employee had looked at additional records without a job-related purpose between June 2011 and March 2015, according to a hospital statement.
UC Irvine learned of the inappropriate access March 13.
The employee may have viewed patient information including names, birth dates, gender, medical record numbers, height, weight, medical center account numbers, allergy information, home address, medical documentation, diagnoses, test orders, test results, medications, employment status, patient health plans and employers.
The hospital said that "as far as it is possible to determine," the employee did not access or distribute Social Security numbers, driver's license, state ID card numbers or credit card information.
A computer forensics investigation determined the employee did not remove any patient information.
UC Irvine Medical Center has revoked the employee's access to the computer systems and "imposed disciplinary action," according to the notification.
More articles on data breaches:
Opinion: To enhance cybersecurity, fire CEOs who don't view it as a business risk
Dear hacker: Here is your invitation to attack our network
North Shore-LIJ notifies 18,000 patients of breach due to stolen laptops