Over on PHIprivacy.net, I’ve been covering a HIPAA privacy complaint concerning Monroeville, Pennsylvania’s EMS operations. At the heart of the complaint, people who had no current reason to receive EMS alerts by text or email were receiving notifications on medical emergency calls. Charges and counter-charges have rocked the community, with the police chief being demoted and then fired, and the assistant chief of police – the individual who filed the complaint with HHS – being promoted. HHS is still investigating his HIPAA complaint (as far as I know), but there was another issue at the same time: that people in EMS were able to access the police databases – which they should not have been able to do. Although that situation posed a significant security and privacy issue in its own right, that is not a matter for HHS, and was only investigated by Monroeville internally.
But now Paul van Osdol reports:
The state Attorney General’s Office is investigating whether Monroeville officials violated state law by improperly accessing criminal history information, WTAE has learned.
In an Oct. 28 letter to Monroeville Manager Lynette McKinney, Deputy Attorney General Lawrence Cherba said he planned to meet with municipality officials to discuss “infractions of the Criminal History Records Information Act.”
Cherba said he would be accompanied by David Peifer, who heads the Bureau of Special Investigations at the AG’s office.
Mayor Greg Erosenko said he does not believe Monroeville officials are the targets of a criminal investigation.
Read more on WTAE. It’s not clear to me whether this is related to EMS personnel accessing the police database or something else. If the latter, it would be the third privacy and/or security issue within the last year or so.