Fine in Marketing-Related BreachRadiologist Used Patient Information to Seek Business
A radiologist formerly affiliated with a Connecticut hospital has agreed to pay a $20,000 civil fine as part of a settlement with the state's medical examining board for inappropriately accessing patient information to use in marketing his services (see: Breach Motivated by Marketing).
Gerald Micalizzi of Bridgeport, Conn., formerly affiliated with Griffin Hospital in Derby, Conn, agreed to pay the penalty and have his license put on probation for six months, during which time he needs to "successfully complete coursework in physician ethics, patient confidentiality and HIPAA compliance," according to the June 19 consent order issued by the state of Connecticut Dept. of Public Health.
The state alleged, and Micalizzi did not contest, that from Feb. 4, 2010, to March 5, 2010, the radiologist, using his home computer, "improperly accessed numerous patient records" from Griffin Hospital's Picture Archiving and Communications System, using the user name and password of other physicians without their consent.
According to a Griffin Hospital statement issued not long after the breach was discovered two years ago, an internal investigation found that the physician gained unauthorized access and scanned the PACS directory listings of 957 patients who had radiology studies performed at the hospital. During that one-month period, the doctor selected and downloaded the image files of 339 of these patients.
Micalizzi was formerly a member of the Griffin Hospital medical staff who had been employed by the radiology group with which Griffin Hospital contracted for its radiology professional services. During that time, the radiologist was authorized to access to the PACS.
The physician's employment with the radiology group was terminated on Feb. 3, 2010. That resulted in the loss of his medical staff appointment at Griffin Hospital and his authorization to access the PACS. At the same time as the physician's PACS access was terminated, his access password was revoked, according to the hospital statement.
The hospital was tipped off about the unauthorized data access in late February 2010 when it began receiving inquiries from patients regarding unsolicited contact by Micalizzi, who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin Hospital.