Sentara Health recently notified patients that their lab services were impacted by a data breach.
Sentara Health, a lab service provider, notified the Department of Health and Human Services (HHS) on June 9th, 2025, of a data breach.
According to the notice, the breach impacted patients who received lab tests between January and April 10th, 2025. Information accessed may have included names, addresses, dates of birth, patient identification numbers, medical record numbers, telephone numbers, Social Security Numbers, lab tests that were ordered, patient provider names, and the dates of labs that were ordered.
In Sentara’s report to the HHS, they said 13,278 individuals had their electronic medical records impacted by an unauthorized user.
Unique to this case, Sentara’s public notice revealed that the breach was linked to two remote employees hired in January 2025 to process lab requisitions, which are the orders that determine what lab tests need to be run for a patient.
The individuals worked remotely, but on April 3rd, 2025, their manager expressed concerns about the employees' identities in virtual meetings. According to the notice, the manager had concerns “that the pictures the individuals submitted as part of the hiring process did not appear to match the individuals participating.”
In response, Sentara’s privacy and cybersecurity departments completed an investigation. The investigation determined that while the individuals were performing the correct job duties, they were performing them outside of the United States. The employees were unable to confirm that they were the individuals Sentara believed they had hired. Upon the discovery, the individuals’ access to Sentara’s systems was terminated.
This unique case shows that breaches can come from uncommon sources. It’s unclear if the employees were maliciously accessing data or simply seeking work. Nevertheless, only authorized individuals can have access to protected health information. Although this case may not have been insidious, Sentara may now face more intense scrutiny and a loss of patient trust.
Insider threats are common, but they can also be unintentional. In this instance, it’s unclear if the employees were looking to harm the organization or simply seeking work from outside the US. Regardless, organizations must be diligent in thoroughly meeting all state and government requirements for data handling.
It’s uncommon for individuals to successfully pose as others to gain access to healthcare data. However, this issue could have likely been avoided if the employees had been more thoroughly screened. Employers should always check that an employee's identification matches how they look, or seek further proof of identification if there is any concern.