Fine in Marketing-Related Breach

Radiologist Used Patient Information to Seek Business
Fine in Marketing-Related Breach

A radiologist formerly affiliated with a Connecticut hospital has agreed to pay a $20,000 civil fine as part of a settlement with the state's medical examining board for inappropriately accessing patient information to use in marketing his services (see: Breach Motivated by Marketing).

See Also: The 2022 Human Factor Report Explores a Year of Headline-Making Attacks

Gerald Micalizzi of Bridgeport, Conn., formerly affiliated with Griffin Hospital in Derby, Conn, agreed to pay the penalty and have his license put on probation for six months, during which time he needs to "successfully complete coursework in physician ethics, patient confidentiality and HIPAA compliance," according to the June 19 consent order issued by the state of Connecticut Dept. of Public Health.

The state alleged, and Micalizzi did not contest, that from Feb. 4, 2010, to March 5, 2010, the radiologist, using his home computer, "improperly accessed numerous patient records" from Griffin Hospital's Picture Archiving and Communications System, using the user name and password of other physicians without their consent.

According to a Griffin Hospital statement issued not long after the breach was discovered two years ago, an internal investigation found that the physician gained unauthorized access and scanned the PACS directory listings of 957 patients who had radiology studies performed at the hospital. During that one-month period, the doctor selected and downloaded the image files of 339 of these patients.

Micalizzi was formerly a member of the Griffin Hospital medical staff who had been employed by the radiology group with which Griffin Hospital contracted for its radiology professional services. During that time, the radiologist was authorized to access to the PACS.

The physician's employment with the radiology group was terminated on Feb. 3, 2010. That resulted in the loss of his medical staff appointment at Griffin Hospital and his authorization to access the PACS. At the same time as the physician's PACS access was terminated, his access password was revoked, according to the hospital statement.

The hospital was tipped off about the unauthorized data access in late February 2010 when it began receiving inquiries from patients regarding unsolicited contact by Micalizzi, who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin Hospital.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.