Two employees were found to have wrongfully accessed and disclosed patient information through an FBI investigation. The employees have since been convicted and sentenced to probation.
What happened
On December 11, 2023, while working at Mid-City OB-GYN in Omaha, Nebraska, medical assistants Kiara Gross, 24, and Olivia Gross, 47, wrongfully accessed and disclosed individually identifiable health information related to a patient, identified as Victim 1, without authorization. Victim 1 had last received medical treatment at Mid-City OB-GYN in approximately July 2023.
Both Kiara and Olivia Gross were employees of the healthcare provider, with Kiara working there from May 2019 to December 13, 2023, and Olivia from July 2009 to December 2023. As employees of a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), their unauthorized access and disclosure of Victim 1’s health information constituted a violation of HIPAA regulations.
Following an investigation by the FBI, both were charged with wrongful disclosure of health information. In federal court in Omaha, Chief United States District Court Judge Robert F. Rossiter, Jr. sentenced Kiara Gross on March 7, 2025, and Olivia Gross on March 14, 2025, both receiving two years of probation for their offenses.
What was said
The Department of Justice press release notes, “HIPAA precludes access to, and use of, and disclosure of a patient’s individually identifiable health information without a patient’s authorization. Kiara Gross was employed at Mid-City OB-GYN from on or about May 2019, to on or about December 13, 2023. Kiara Gross worked as a medical assistant. Oliva Gross was employed at Mid-City OB-GYN from on or about July 2009, to on or about December 2023. Olivia Gross worked as a medical assistant.”
Why it matters
The unauthorized access and disclosure of patient health information by Kiara and Olivia Gross violate a patient's fundamental right to medical privacy and expose sensitive information to potential misuse. HIPAA’s Privacy Rule 45 CFR § 164.502 explicitly prohibits the unauthorized use and disclosure of protected health information (PHI) without patient consent.
Their actions also likely violated HIPAA’s Minimum Necessary Standard, which states employees should only access PHI necessary for their job functions. These regulations exist to prevent breaches that could lead to identity theft, discrimination, or personal harm.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What constitutes unauthorized access to patient records?
Unauthorized access occurs when an individual without proper clearance views or handles patient health information (PHI) without a legitimate need for treatment, payment, or healthcare operations.
How do we prevent unauthorized access to electronic PHI (ePHI)?
Implement robust access controls, such as unique login credentials and role-based access, to limit who can view ePHI.
What are the consequences for employees who access patient records without authorization?
Consequences can range from additional training for first-time offenders to termination and legal action for repeated or malicious violations. The severity depends on the organization's policies and the nature of the violation.
Kirsten Peremore
