A nurse illegally accessed a Minnesota state database containing prescription drug records for approximately 1 million patients after his access to the database was supposed to be suspended, according to a CBS Minnesota report.
The database is administered by the Minnesota Board of Pharmacy and is mainly accessible only to physicians and pharmacists. Two employees of Blue Cross and Blue Shield of Minnesota have access because the state pays the payer to monitor drugs in state-run medical programs, according to the report.
Jim Johnston, RN, is an employee of BCBS and one of the employees who had access to the database, though his access was supposed to end in March 2012 when BCBS assigned another employee to the job, according to the report.
However, the state did not take Mr. Johnston off the list of people who could access the database, and an audit found he entered the databases 249 times after his access was supposed to be terminated, according to the report.
Mr. Johnston allegedly accessed 56 patient records. He also, in one instance, shared a patient's picture with other BCBS employees on a work computer, according to the report.
BCBS said in an email that the no personal information was shared with anyone outside the company, according to the report.
Mr. Johnston was suspended in March 2013, and the Minnesota Board of Nursing fined him $5,000 and required him to undergo HIPAA training. He has since been reinstated and still works at BCBS now, though he no longer has access to the database, according to the report.
Additionally, Mr. Johnston has an alleged history of drug theft and abuse and previously admitted to stealing narcotics indicated for infants at Children's Hospital in St. Paul. In 2002, Mr. Johnston was fired from Unity Hospital in Fridley, Minn., after admitting to stealing morphine, according to the report.
Brian Krallis, a healthcare consultant in Dallas, said in the report while it isn't illegal for someone with a history of stealing drugs to access state prescription databases, is questionable.
"The fact that they actually took someone with a known history, a past record, and put this person in charge of this arena and had access to this information is what they actually call willful neglect," Mr. Krallis said in the report.
The investigation, undertaken by local Minneapolis-based WCCO-TV, questions the Minnesota Department of Health's handling of the situation, according to the report.
The DHS and Board of Pharmacy told WCCO-TV they did not know about Mr. Johnston's history of drug theft and abuse, though investigators said his records are available on the Board of Nursing's website, according to the report.
Additionally, DHS said it did not need to report this breach to the Office of Civil Rights because less than 500 individuals were affected, although HIPAA regulations require breaches affecting less than 500 patients are still required to be reported to the OCR annually, the report indicates.
More articles on breaches:
Illinois attorney general to investigate patient record disposal
5 things putting your medical practice at risk for a breach
PHI breaches jumped 25% in 2014