HomeLearnBoKEvents & Case StudiesHealthcare Snooping and Medical Record Misuse
Back to Hub
Last Reviewed: 2026-06-24
Reviewer: ITMG® Security Advisory
BoK Reference Sheet
Reference Case study

Healthcare Snooping and Medical Record Misuse

Healthcare snooping occurs when a workforce member accesses patient, member, or health information without a treatment, payment, healthcare operations, or other authorized purpose.

Based on real event: UCLA Health System HIPAA resolution involving employee snooping.

Incident Case Analysis & Real-World Context

Case basis: Based on real event. HHS OCR resolved a matter involving UCLA Health System after allegations that unauthorized employees repeatedly accessed electronic protected health information of celebrity patients and other patients without a permissible reason. The case illustrates that insider risk in healthcare includes unauthorized viewing, not only theft or external disclosure.

Why This Event Pattern Matters

Healthcare insider events can create regulatory, patient-trust, employment, licensing, and notification consequences even when no large-scale exfiltration occurs. Curiosity access is still an insider-risk event when the user lacks a legitimate purpose.

Common Event Scenarios & Progression Path

EHR, claims, pharmacy, billing, or image-system access by workforce member.

Access to celebrity, co-worker, family, neighbor, VIP, or former partner record.

Break-glass or emergency-access activity without sufficient justification.

Need for privacy review, sanction process, and audit evidence.

IRCF™ Capability Alignment

Lessons from this event pattern directly map to the following canonical Insider Risk Capability Framework™ (IRCF™) components for organizational capability improvement:

Data ProtectionIAMMonitoringAnalysisInvestigationPrivacyTraining and AwarenessOversight and Compliance

Insider Threat Matrix Alignment

Matrix mapping includes preparation through patient-record search and infringement through unauthorized access or disclosure. Avoid overstating motive beyond supported facts.

*The Insider Threat Matrix™ is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations.

Controls & Safeguards to Leverage

Minimum necessary and role-based EHR permissions.
VIP, employee, family, and break-glass audit review.
Privacy investigation workflow and sanction policy.
Training with realistic healthcare snooping scenarios.
Identity and shared-credential controls.

Relevant Program Metrics & KPIs

Metric
Unauthorized patient-record access findings.
Metric
VIP/employee-record audit exceptions.
Metric
Break-glass events reviewed on time.
Metric
Privacy investigation closure time.
Metric
Repeat access-policy violations.

Legal, Privacy, and Ethical Cautions

Healthcare snooping may implicate HIPAA, state privacy laws, professional licensing, employment action, patient notification, and evidence preservation. Handle patient details with strict confidentiality.

Source References & Investigation Fact-Verification

HHS OCR, Resolution Agreement: UCLA Health System, July 2011.

Operationalize This Learning

Need to evaluate whether this scenario is covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate your current control coverage, capability maturity, and exposure trends.