Updated: February 12, 2020 09:04 PM
Created: February 12, 2020 07:22 PM
GATES, N.Y. (WHEC) — The victim of a years-long violation of the privacy of her medical records said she wanted to hold Rochester Regional Health accountable.
Kristina Ciaccia says former ACM Global Laboratories employee Jessica Meier illegally accessed her medical records hundreds of times over a period of two years, possibly to find embarrassing information for a child custody fight.
ACM Global Laboratory is part of Rochester Regional Health.
"I feel like Rochester regional paid her, all year, to go through my medical records,” Ciaccia said.
Meier, 41, of Hamlin, was arraigned in Gates town court Tuesday night on 215 counts of felony computer trespass and 215 counts of misdemeanor unauthorized use of a computer.
She pleaded not guilty and her case was expected to go before a grand jury next.
According to prosecutors, Meier illegally peeked at Ciaccia’s records, and at some of Ciaccia’s family’s records using access she had at her job at the ACM Global Laboratory in Gates.
“I want to make sure she has held accountable but, Rochester regional has a liability here too,” Ciaccia said. “I mean… Over two years? Several other people now involved in my family? That’s not fair to me. That’s not fair to them. It should have been stopped way before it got to this level.”
Court documents allege the intrusions took place between March of 2017 and August of 2019.
Ciaccia showed News10NBC an audit by Rochester Regional Health, which she received in September, which showed more than 200 instances of Meier examining Ciaccia’s private files.
Ciaccia said she was troubled that nothing was done to stop the repeated incursions until she contacted Rochester Regional herself.
She also sniffed at a letter she received from the company.
“‘We’ll let you know promptly if a breach occurs that may have compromised the privacy or security of your information,’” she read from the letter.
“I called them!” Ciaccia exclaimed, shrugging. “Over two years… That was a lie.”
After receiving the audit, she took it to police, first in Irondequoit, then in Gates, where Meier worked.
She described investigators as astonished by the magnitude of the apparent security breaches and the matter was referred to the Monroe County District Attorney’s office.
Under the federal Health Insurance Portability and Accountability Act, known as "HIPAA," private medical information is supposed to be kept confidential.
When News10NBC contacted the U.S. Health and Human Services Department's Office of Civil Rights, which enforces HIPAA, representative Rachel Seeger replied that “Generally, the HHS Office for Civil Rights (OCR) does not comment on open or potential investigations.”
The New York Attorney general's office told News 10 NBC it's leaving this case up to the Monroe County District Attorney.
For its part, Rochester Regional Health would only say that Jessica Meier is not a current employee.
Ciaccia said she wanted to see Meier held accountable, and kept from ever dealing with anyone’s private information, but reserved extra criticism for Rochester Regional.
“You get trained in a medical field. I worked in the medical field before,” Ciaccia said. “She violated HIPAA She violated every policy under that job. They're well aware of. There's a class on it."
Data security lawyer Jimmy Paulino observed that state and federal standards for protecting medical records are strict, and said systems do exist whereby Rochester Regional could tighten up security to protect against even the kind of renegade employee Meier is accused of being.
But he said the question for regulators, and if anybody tries to sue, is what risks could reasonably be expected.
“If you can’t foresee that this would happen, then you can’t be responsible for it,” Paulino said. “If that person has been working there for 20 years and they’ve been looking at medical records for 20 years, the fact that I’m looking at medical records for two years it’s not going to be a red flag.”
Copyright 2020 - WHEC-TV, LLC A Hubbard Broadcasting Company