Former UPMC Employee Jailed for Unauthoized Access of PHI

A former employee of the University of Pittsburgh Medical Center (UPMC) has been indicted by a federal grand jury and has been sentenced to serve one year in prison for the unauthorized and disclosure of patient protected health information (PHI).

Linda Sue Kalina, 62, worked as a patient care coordinator at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network. Between March 30, 2016, and June 15, 2017, Kalina accessed the medical records of patients without the proper authorization to do so.

Kalina used her position at the facility to snoop on the records of friends, old classmates, and people against whom she held a grudge. In once instance, she used the data to cause malicious damage against her previous employer, Frank J. Zottola Construction.

Kalina had been working at Frank J. Zottola Construction as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina logged onto that woman’s medical records and shared gynaecological information about the woman to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical information of the new office manager and one other Zottola employee was shared.

The Health Insurance Portability and Accountability Act (HIPAA) dictates that staff members of medical facilities must have a legitimate reason to access patient data, such as needing to access the information for treatment or payment reasons. Kalina had no justifiable reason to access the patient data and abused her access to data for malicious purposes.

Zottola informed UPMC of Kalina’s behaviour, which resulted in Kalina losing her job. She was later employed by Allegheny Health Network where she is alleged to have begun accessing patient records without authorization.

In total, investigators determined that Kalina improperly accessed the records of 111 patients.

Kalina was brought before a federal grand jury in Pittsburgh for her actions and charged with six counts of wrongfully obtaining and disclosing health information. Kalina plead guilty to the charges.  In her defence, she claimed she was going through a stressful time in her life and had health issues. She also claimed she was not aware she was breaking the law and did not realize that accessing patient files could be illegal. Kalina and her legal representatives were seeking probation due to Kalina’s ongoing family commitments.

Prosecutors said that Kalina had been provided with HIPAA training and was aware of the rules surrounding PHI access, and stated that her claim of ignorance was ‘a complete farce.” The U.S. attorney’s office sought a jail term of between six and twelve months.

U.S. District Judge Arthur Schwab gave her a jail term at the top end of that scale as the crime was very ‘egregious.’ Kalina was sentenced to one year in jail followed by 3 years of probation.