Like any mother of young children who shares visitation, Jennifer Lynne Bacor just wanted to make sure her ex-boyfriend was up to the task. So when she learned in 2017 that he had a serious leg wound that wasn’t healing, Bacor expressed her concerns to a family friend, sharing a disturbing photo that showed the seriousness of the injury.
The friend sent the photo via Facebook Messenger to the ex-boyfriend and warned him to take care of himself. Bacor’s cell phone photo was from the man’s medical record, which she accessed even though she worked in an unrelated section of Mercy Medical Center in Cedar Rapids, Iowa.
The ex-boyfriend, “J.B.,” reported the incident to Mercy, and Bacor was fired. She later moved to another state with her sons and a new partner, and tried to put the incident behind her. Yet four years later, Bacor found herself being sentenced after pleading guilty to a felony—wrongfully obtaining individually identifiable health information by false pretenses, a charge stemming from her 2017 actions.[1] After so much time had passed, Bacor had never dreamed she’d find herself in this situation, she told RPP in an exclusive interview.
It is safe to say that every day health care workers violate HIPAA by snooping in medical records of others—often without a nefarious reason. Like Bacor, they don’t sell the information to the gossip site TMZ. They don’t hawk it on the Dark Web where it can be used to commit identity theft and financial fraud. They don’t post the information publicly. Perhaps they are checking on the health of a friend or relative.
Mostly these misdeeds remain hidden, certainly from the public, but often from employers, as hospitals and other covered entities don’t always have the systems in place to log workers’ access or fail to perform regular audits that might spot such issues.