MINNEAPOLIS (WCCO) — A nurse with a history of narcotics theft illegally accessed a state database that contains prescription drug records for 1 million Minnesotans, all under the supervision of government entities that cost taxpayers hundreds of millions of dollars annually.
A WCCO-TV investigation found that, despite the nurse’s background, he was given access to the database by both the Minnesota Department of Human Services and the state’s largest insurer, Blue Cross and Blue Shield.
There are major questions about how state officials and Blue Cross Blue Shield handled this breach.
The state database with the names, addresses and prescription records for 1 million Minnesotans was set up in 2010 to monitor the abuse of prescription drugs.
It is administered by the Minnesota Board of Pharmacy.
“Usually when people are addicted to medications they go to multiple prescribers in a short period of time,” Minnesota Board of Pharmacy executive director Cody Wiberg said.
Access to the database is mostly limited to physicians and pharmacists, but two Blue Cross Blue Shield employees also have access. The reason for that is because the state pays Blue Cross to monitor drugs in state-run medical programs.
In 2010, one of the employees the state of Minnesota and Blue Cross allowed to access the database was registered nurse Jim Johnston. Johnston’s access was supposed to end in March 2012, when Blue Cross Blue Shield told the state they were assigning another employee to the job.
The state failed to take Johnston off the list of legal users. Eight months later, an audit found Johnston had gone into the databases 249 times when he shouldn’t have.
He looked at 56 individual patients’ records, meaning he accessed some people more than once.
When asked if that represents a violation of federal law, specifically the Health Insurance Portability and Accountability Act (HIPAA), as well as state law, Wiberg replied, “Yes, it’s very clear under federal law and state law that you can only access the data when you have a need to access the data.”
A state investigation also found that Johnston accessed patients’ personal social media accounts, and in one case shared a patient’s picture with other Blue Cross Blue Shield employees on a work computer.
Johnston and Blue Cross Blue Shield refused repeated requests for interviews, so is not clear why Johnston accessed the private information and what, if anything, he did with it.
What is clear is if he has a documented record of stealing and abusing narcotics — a record the Minnesota Department of Human Services and the Minnesota Board of Pharmacy told us they did not know about until WCCO-TV told them — Johnston was never criminally charged.
But his discipline records are easy to find on the state Board of Nursing’s website. In 2000, he admitted to stealing narcotics meant for critically ill infants at Children’s Hospital in St. Paul and was fired. And in 2002, he was fired from Unity Hospital in Fridley after testing positive and admitting to stealing morphine.
Johnston never lost his nursing license. He was fined and required extra supervision for a time. His LinkedIn page says three months after being fired from Unity he began working for Blue Cross Blue Shield.
It is not a violation of state law for someone with a history of drug theft to have access to the state prescription database. But Brian Krallis, a Dallas-based health care consultant, said it raises serious questions under federal health privacy laws.
“The fact that they actually took someone with a known history, a past record, and put this person in charge of this arena and had access to this information is what they actually call willful neglect,” Krallis said.
Johnston told investigators that he told a Blue Cross Blue Shield supervisor in 2012 that he still had access to the database and that the supervisor did not tell him to stop. WCCO asked the company about that, but they did not respond.
“That’s a major problem because at this point Blue Cross Blue Shield cannot say it did not know there was a problem,” Hamline law professor David Schultz said.
Krallis and the Board of Pharmacy said the accessing of each of the 56 individual patient records was illegal and Blue Cross Blue Shield could be subject to major federal government fines.
“He purposely went in to review patient records, and any time that happens that individual has a right to know their information was compromised,” Krallis said.
But the Minnesota Department of Human Services says only 16 of the patients records were accessed illegally. Their reasoning: while Johnston didn’t have legal access to the database, two others at Blue Cross did.
Schultz said the Minnesota DHS got it wrong.
“It doesn’t make any sense. If he is illegally accessing it, he is illegally accessing it, and it doesn’t matter whether Blue Cross had legal access to the rest of them,” he said.
When WCCO-TV went to the Minnesota DHS for answers, they gave us an interpretation of federal HIPAA law that three experts told us is wrong. That is significant because the Minnesota DHS manages health care programs for 1 million Minnesotans.
The Minnesota DHS told us there was no need to report any of this breach to federal authorities because the reporting requirement is for breaches of 500 or more individuals. Page 60 of the HIPAA regulations indicates breaches affecting less than 500 patients shall be reported annually.
“They just got that wrong and I wonder for how many years they have been operating under that incorrect interpretation,” Schultz said. “Federal law saying you must report, and they are not reporting.”
Minnesota taxpayers paid Blue Cross Blue Shield $565 million in 2014 for managed health care programs.
“I would have serious misgivings about giving money, especially taxpayer dollars, to an entity that does not appear like it’s following even the simplest of regulations,” Krallis said.
After investigating the breach, the Board of Nursing disciplined Johnston, ordering him to undergo HIPAA training and fined him $5,000.
Johnston no longer has access to the drug database.
While Blue Cross Blue Shield suspended Johnston in March 2013, he was later reinstated and continues to work there as an access management specialist, a fact that Krallis called unbelievable.
“It’s such a gross violation and infringement,” Krallis said. “That he still has a job, I really am at a loss. I don’t even know what to say.”
Through email, Blue Cross Blue Shield told WCCO-TV the breach is an isolated situation and no personal information was shared with anyone outside the company.
The Federal Department of Human Services, which administers HIPAA laws, would not comment.