A “super snooper” violates patient privacy

After a concern was raised by a few Asante employees about a possible snooping incident, our Privacy team conducted a full investigation into the alleged breach of patient health information by Paul Hoffman, MD.

Dr. Hoffman is not an Asante employee, but he did have access to our electronic health record system to treat his patients when they were seen at an Asante facility.

The investigation uncovered that he accessed a number of records between June 12, 2014, and Jan. 3, 2023, which may have been without a valid clinical purpose.

“This is the worst case of snooping in Asante’s history,” said Erick Edtl, director of Compliance. “Dr. Hoffman’s actions are not representative of Asante’s culture and could have a serious impact on our patients, our employees and their trust in Asante.”

In response to the investigation, Asante immediately terminated Dr. Hoffman’s access to our EHR systems and reported his conduct to the Oregon Medical Board.

Dr. Hoffman’s access included patients’ name, demographic information, and diagnostic and treatment information. He did not have access to patients’ full social security number, driver’s license number, or payment card or bank account information.

“Our investigation indicates Dr. Hoffman accessed records out of curiosity rather than for fraudulent purposes,” Edtl said. “We do not believe potentially affected patients need to take any steps in response to this incident or that this incident increases their risk of identity theft.”

Asante is informing affected individuals this week and notifying media outlets in Oregon and California where the majority of people were impacted by Dr. Hoffman’s actions.

“We fully expect patients to be shocked and disappointed by the fact that a physician would violate their privacy so recklessly,” Edtl said. “Informing patients directly of this incident and the steps we’re taking in response are the first steps toward rebuilding trust with our patients and community.”

For patients who have questions or concerns, a dedicated call center was set up at (866) 674-4359.

How this happened

Asante uses electronic auditing systems such as FairWarning to review every user’s access to our electronic health record system and identify cases of inappropriate access. In most instances, bad actors are quickly discovered.

In the case of Dr. Hoffman, there were two main reasons why his snooping went undetected. First, he began snooping in 2014 before Asante implemented FairWarning, thus the system viewed his snooping activity as “normal.” Second, Dr. Hoffman is not an employee of Asante, and therefore we had limited information about him to compare against the patients he was accessing.

“In light of this incident, we are evaluating additional opportunities to better detect potentially inappropriate access,” Edtl said.

Asante has a zero-tolerance policy when it comes to snooping, and Compliance provides ongoing education to employees and medical staff to help ensure they understand what constitutes snooping. Already this year, the Privacy team has investigated about 20 reports of inappropriate access. Most of these investigations were driven by Asante’s privacy monitoring tool, FairWarning.

“We are incredibly grateful to our employees who have the courage to bring forward concerns about possible snooping,” Edtl said. “Their actions are helping up uphold our values of honesty and respect.”