Employee Snooping: Personal, Professional, Criminal

Veriphyr proactively reports impermissible use of PHI the first time it happens. 

It’s Personal

Back in 2008, Dr. Joshua Welch had an affair with a woman, “Anne”. After informing him she may have contracted an STI, Anne suspected that Dr. Welch had snooped in her medical records. Anne requested an audit.

The resulting investigation found that Dr. Welch snooped into Anne’s records, as well as those of seven other women. In 2010, Welch plead guilty. His punishment was a suspension, corrective counseling, and monitored for years after.

The hospital took two years to investigate and charge Dr. Welch.

Similarly, in Yorkshire, UK, an IT worker was found to have impermissibly accessed women’s protected health information (PHI) 431 times. Family, friends, and colleagues were the target of 336 instances (b).

The IT worker was sentenced to six months in prison and two months suspension (c).


Curiosity Killed HIPAA Compliance

In a survey conducted in 2011, Veriphyr found that snooping on friends and family made up almost thirty percent of insider patient privacy breaches. One major university hospital had to fire thirteen employees for snooping in patient records.

Newsworthy patients are similarly at a high risk. From celebrities to tragedies, employees have been motivated by curiosity since the advent of EHR.

Numerous nurses and doctors scroll through medical records just to see what they’d find. In 2010, Dr. Zhou was sentenced to four months in prison after impermissibly looking at patients’ protected health information (PHI) 323 times. Meanwhile, in Canada, one nurse was found scrolling through the records of 5,800 patients.

Unfortunately, patient privacy breaches by employees can have criminal intentions.


Criminal Intentions

A UK insurance salesman is currently under trial for bribing a former coworker to send him pictures of clients’ PHI in order to increase his sales.

On the blackmarket, PHI can be sold for around $50. A pair of medical office assistants collected patients’ PHI for such a profit back in 2011. It turned out they were part of a much larger bank fraud ring.


Veriphyr Can Help

Whether employees are snooping out curiosity or malicious intent, Veriphyr detects and report impermissible use of patient data the first time it happens.

To understand how your medical center can detect impermissible use early on, you get Alan Norquist’s advice here.



(a) Seven Days – February 24, 2010

(b) The Yorkshire Post – September 16, 2010

(c) The Register – October 5, 2010