If a Hospital Employee Accessed My Records, What Can I Sue For? Medical Privacy Lawsuits in West Virginia and New York

If a Hospital Employee Accessed My Records, What Can I Sue For? Medical Privacy Lawsuits in West Virginia and New York

/by

The call usually starts the same way. A patient hears from a friend or family member that something private about her medical care is being talked about, a pregnancy she had not announced, or a diagnosis she had not shared. She traces the leak back to a hospital employee with a personal connection who pulled her chart without any treatment reason.

At Mehalic Law PLLC, attorney Jeff Mehalic represents consumers in West Virginia and New York whose medical privacy has been invaded by hospital staff. Our practice focuses exclusively on representing patients, never hospitals or insurers. The questions below answer what readers in this situation want to know: Can I sue? Who do I sue? And what is the case worth?

Can I Sue a Hospital When an Employee Looked at My Records Without a Treatment Reason?

Yes. While federal HIPAA does not allow patients to sue directly, both West Virginia and New York recognize state-law claims against hospitals when an employee accesses medical records without a legitimate treatment purpose. Patients can pursue breach of confidentiality, invasion of privacy, and negligent supervision claims and recover damages for emotional distress and reputational harm.

The reason these cases work, even though HIPAA gives patients no direct claim of their own, is that state courts have built their own remedies — and the lawsuit usually targets the hospital rather than the employee who did the snooping.

In West Virginia, the Supreme Court of Appeals held in R.K. v. St. Mary’s Medical Center, Inc. that common-law claims for wrongful disclosure of medical information survive HIPAA preemption. In New York, the Court of Appeals reached a parallel conclusion in Chanko v. American Broadcasting Companies, Inc., confirming that a patient can sue a hospital and treating physician directly for breach of physician-patient confidentiality. What the federal law fails to provide, state law has stepped in to cover.

Is HIPAA Snooping a Crime, and Why Can’t I Sue Under HIPAA Directly?

HIPAA does not include a private right of action. Patients cannot personally file a federal lawsuit under HIPAA. The federal statute is enforced by the HHS Office for Civil Rights, which can fine facilities, and by the Department of Justice, which prosecutes intentional snooping criminally. A former UCLA Healthcare System employee was sentenced to four months in federal prison for accessing patient records without permission.

Most patients assume the law that protects their privacy must also let them enforce it. HIPAA was instead built as a regulatory statute, enforced through two channels:

  • Civil enforcement by the HHS Office for Civil Rights, which can impose corrective action plans and monetary penalties on the facility. Patients can file an OCR complaint within 180 days of learning of the violation, but the patient is not a party to OCR enforcement.
  • Criminal prosecution by the Department of Justice for knowing, wrongful access. The first federal prison sentence under HIPAA’s criminal provisions went to a UCLA Healthcare System employee who looked at celebrity records.

HIPAA does, however, provide a standard of care for civil cases. West Virginia and New York courts use HIPAA to define what a reasonable hospital should have done — so a HIPAA Privacy Rule breach becomes evidence of negligence under state tort law.

What Legal Claims Can I Bring When a Hospital Employee Snoops on My Records?

Patients in West Virginia and New York can pursue several overlapping theories of liability: breach of physician-patient confidentiality, invasion of privacy, negligent hiring or supervision, breach of fiduciary duty, and infliction of emotional distress. An experienced consumer privacy attorney pleads multiple claims to maximize recovery.

Each of the theories below attacks the same misconduct from a different direction, which is why a strong complaint rarely rests on just one.

Breach of Physician-Patient Confidentiality

Hospitals and physicians owe an independent legal duty of confidentiality to every patient. New York anchors this duty in CPLR § 4504(a) plus the common-law fiduciary obligations recognized in Chanko v. ABC. West Virginia recognizes the same duty as a stand-alone tort separate from any medical malpractice claim.

Invasion of Privacy

West Virginia recognizes all four privacy torts described in the Restatement (Second) of Torts, with Crump v. Beckley Newspapers, Inc. as the leading case. The two that fit medical records snooping are intrusion upon seclusion (the employee viewed the chart with no business reason) and public disclosure of private facts (the employee shared what she saw). In Tabata v. Charleston Area Medical Center, the West Virginia Supreme Court of Appeals held that patients have standing to bring these claims even without economic loss. New York recognizes parallel claims through its common-law framework.

Negligent Hiring, Supervision, and Training

This claim targets the hospital’s own conduct. The facility owes patients a duty to:

  • Screen and credential employees with access to electronic health records
  • Monitor audit logs for suspicious access patterns
  • Train staff on the HIPAA minimum-necessary standard
  • Impose meaningful sanctions when snooping occurs

When the hospital fails any of these duties, the facility itself is liable. New York’s Court of Appeals confirmed in Judith M. v. Sisters of Charity Hospital that these direct claims survive even when the employee acted outside the scope of employment.

Breach of Fiduciary Duty and Emotional Distress Claims

A hospital holds a fiduciary relationship with its patients, opening the door to broader equitable remedies and punitive damages in cases of conscious disregard. Intentional or negligent infliction of emotional distress claims are reserved for the most egregious conduct or where psychological harm requires professional treatment.

Why Should I Sue the Hospital and Not the Employee Who Actually Looked at My Records?

Naming only the snooping employee gives the hospital an easy out: blame the rogue worker and walk away. Suing the facility instead forces the hospital to defend its own training, supervision, and security practices. Hospitals carry liability insurance and the resources to satisfy a judgment. Individual employees almost never do.

This is one of the most important strategic decisions in a medical privacy lawsuit, and the one that surprises clients most often. The instinct is to chase the person who actually did the looking. But naming the individual employee almost always weakens the case:

  1. The hospital will blame the employee. With the employee named as a co-defendant, the hospital argues her conduct was outside the scope of employment and that the facility followed every reasonable safeguard. The patient ends up watching two defendants point fingers while the case loses momentum.
  2. Direct claims against the facility are stronger. Negligent hiring, negligent supervision, breach of fiduciary duty, and failure to train cannot be blamed on the employee — the duty was owed by the facility itself.
  3. Collectibility matters. Hospitals carry liability insurance. The employee, usually a nurse, technician, or administrative staffer, almost never does.

The facility is the right defendant. The employee can still be deposed and face employment and criminal consequences, without giving the hospital a target to deflect blame onto.

Is This Considered Medical Malpractice in West Virginia or New York?

No. In West Virginia, the Supreme Court of Appeals held in R.K. v. St. Mary’s Medical Center that wrongful disclosure of medical information is not governed by the Medical Professional Liability Act. No Certificate of Merit and no pre-suit notice are required. New York courts likewise treat breach of physician-patient confidentiality as a distinct tort separate from medical malpractice procedural requirements.

This question matters because both states impose extra hurdles on medical malpractice plaintiffs that defendants try to apply to medical privacy cases.

In West Virginia, the Medical Professional Liability Act (“MPLA”) requires a Notice of Claim and a Screening Certificate of Merit signed by a qualified medical professional at least 30 days before filing suit. Failure to comply is grounds for dismissal, and the MPLA caps non-economic damages.

Hospital defense lawyers routinely argue that medical records snooping cases are “really” medical malpractice cases, so the MPLA applies. The West Virginia Supreme Court of Appeals rejected that argument in R.K. v. St. Mary’s Medical Center, Inc., holding that common-law claims for wrongful disclosure are not governed by the MPLA. The U.S. Supreme Court denied certiorari, making the ruling firm precedent. A 2025 West Virginia Supreme Court decision confirmed that the MPLA applies only when a claim involves death or injury — not pure privacy harms.

New York courts likewise treat breach of physician-patient confidentiality as a distinct tort, separate from the 2-year-and-6-month medical malpractice statute under CPLR § 214-a. The practical effect in both states: a medical records snooping case can be filed without the procedural delays and damages caps that ordinarily apply to medical malpractice suits.

What Damages Can I Recover in a Medical Records Privacy Lawsuit?

Recoverable damages include emotional distress, mental health treatment costs, lost wages or business income when the disclosure affected employment, harm to reputation, damage to personal relationships, and, in egregious cases, punitive damages. Because the Medical Professional Liability Act does not apply, West Virginia’s medical malpractice damage caps do not limit recovery in these privacy cases.

What sets these cases apart is that the harm is rarely financial in the obvious sense; there is usually no stolen money to point to. The recoverable damages instead track the real injury a privacy violation causes:

  • Emotional distress — anxiety, humiliation, loss of trust in healthcare, fear of further disclosure
  • Mental health treatment costs — therapy, counseling, psychiatric medication
  • Lost wages and business income — when disclosure affected employment or forced a career change
  • Damaged personal relationships — when sensitive information disrupted marriages, family relationships, or social standing
  • Reputational harm — particularly severe for professionals whose careers depend on patient or community trust
  • Punitive damages — available when the hospital’s conduct was willful, reckless, or showed conscious disregard for patient privacy

West Virginia patients have one important structural advantage: because the R.K. decision keeps these cases out of the MPLA, the state’s non-economic damage caps for medical malpractice do not apply. The privacy damages structure recognized in Rohrbaugh v. Wal-Mart Stores, Inc. allows recovery for harm to privacy interest, mental distress, and even nominal damages when no economic harm can be proven. New York similarly does not impose statutory caps on breach of physician-patient confidentiality recoveries.

How Will I Even Know If a Hospital Employee Accessed My Records?

Every electronic health record system maintains a detailed audit log of every access. Hospitals are legally required to investigate suspicious access patterns and, in many cases, notify affected patients. Patients often learn from the hospital itself, from a friend or family member who heard private information circulating, or after the employee’s behavior triggers an internal review.

Modern hospital systems track every login. The audit log records who accessed which patient record, when, for how long, and what was viewed. If a neurology employee pulls up an OB patient’s chart, the system records it. Patients commonly discover the snooping in three ways:

  • Hospital notification. Federal HIPAA breach notification rules, Va. Code §46A-2A-102, and New York General Business Law § 899-aa all require notification when patient information is improperly accessed. New York’s deadline tightened to 30 days as of December 21, 2024, and now expressly covers medical and health insurance information.
  • A tip from outside the hospital. A friend or relative mentions hearing something they should not have known. The patient traces the leak backward.
  • An internal audit catches the employee. Many facilities run automated privacy monitoring software that flags suspicious access patterns — particularly access by employees with the same last name as the patient or access during off-hours.

Patients can also request their own access logs under HIPAA’s right-of-access rules, although facilities often resist until a lawsuit forces disclosure through civil discovery.

What Should I Do If I Think a Hospital Employee Accessed My Records?

Document everything immediately: who said what, when you learned of the access, and how you traced it back to the hospital. Request the hospital’s access log for your record. File complaints with the HHS Office for Civil Rights and your state attorney general. Avoid contacting the suspected employee directly. Consult a consumer privacy attorney before the statute of limitations runs.

The first 30 days after discovering a medical privacy breach matter. Evidence can be lost, audit logs can fall outside data retention windows, and statutes of limitations begin to run. Take these steps:

  • Write down everything you know — names, dates, who told you what was disclosed, and how you traced it to the hospital.
  • Save every communication: text messages, voicemails, emails, social media posts.
  • Request your medical records and access log from the hospital in writing by certified mail.
  • File a complaint with the HHS Office for Civil Rights within 180 days of when you learned of the violation.
  • File a complaint with your state attorney general’s consumer protection division.
  • Do not confront the employee. Direct contact can compromise evidence and may expose you to retaliation.
  • Contact a consumer privacy attorney early. Statutes of limitations vary by claim type, and audit logs sometimes get overwritten on facility retention schedules.

How Long Do I Have to File a Medical Privacy Lawsuit in West Virginia or New York?

Statutes of limitations vary by claim. In West Virginia, statutory breach of confidentiality carries a one-year limitations period, invasion of privacy two years, and intentional infliction of emotional distress two years, with the discovery rule extending these in many cases. In New York, breach of physician-patient confidentiality claims generally carry a three-year limitations period, while the narrow statutory privacy claim under CPLR § 215 is one year.

Because each legal theory carries its own clock, the same set of facts can be timely under one claim and barred under another. In West Virginia, the periods most often at issue are:

  • One year — statutory breach of confidentiality claim under West Virginia law
  • Two years — invasion of privacy (intrusion upon seclusion or public disclosure of private facts)
  • Two years — intentional infliction of emotional distress
  • Discovery rule — the limitations clock generally does not start running until the patient knew or should have known of the breach and its cause

In New York, the limitations periods include:

  • Three years — general negligence, breach of fiduciary duty, and breach of physician-patient confidentiality (under CPLR § 214)
  • Two years and six months — medical malpractice (CPLR § 214-a), which the hospital will sometimes try to apply
  • One year — the narrow statutory “violation of right of privacy” claim under CPLR § 215 (limited to appropriation of name or likeness, rarely applies to records snooping)
  • One year — intentional infliction of emotional distress

Discovery and tolling doctrines can extend these deadlines, but the analysis is highly fact-specific. Consult a consumer privacy attorney as soon as a breach is suspected, well before any limitations period appears to run.

Contact a Consumer Medical Privacy Attorney in West Virginia or New York

Hospital records snooping cases require an attorney who understands both the consumer privacy framework and the procedural hurdles hospital defense lawyers will raise.

At Mehalic Law PLLC, attorney Jeff Mehalic has decades of experience representing consumers in privacy, data breach, and consumer protection cases throughout West Virginia and New York. Our practice focuses exclusively on representing patients and consumers — never hospitals, insurers, or providers. We offer a free consultation to review the facts, evaluate whether the audit log can be obtained, and identify every state-law claim that fits. Most consumer privacy cases are handled on contingency.

If you believe a hospital employee accessed your medical records without permission, call 304-873-9186 to speak with attorney Jeff Mehalic. We represent clients in Morgantown, Charleston, Huntington, Wheeling, Martinsburg, and throughout West Virginia, as well as Manhattan, Brooklyn, Queens, the Bronx, Staten Island, Westchester County, Nassau and Suffolk Counties, and Dutchess County in New York.

Frequently Asked Questions

Can I find out the name of the employee who looked at my records?

Usually, yes, although the hospital often resists disclosing the employee’s identity until a lawsuit is filed. Audit logs identify every workforce member who accessed your chart, and civil discovery in a filed case reaches those records.

Does it matter if the employee only looked at my records but never told anyone what she saw?

Yes. Under Tabata v. Charleston Area Medical Center, West Virginia patients have standing to sue even without proof of economic loss. The unauthorized access itself is the injury. New York recognizes parallel intrusion claims. Damages may be smaller in pure-access cases, but the claim is viable.

What if the hospital says the access was for “quality review” or “audit purposes”?

That defense usually fails when tested. The hospital has to prove the access fell within the employee’s actual job duties. An OB nurse pulling a neurology patient’s chart, or a coworker pulling an ex-partner’s records, does not qualify under any reasonable reading of the “minimum necessary” standard.

Can family members whose information was disclosed alongside mine also sue?

If their protected health information was independently disclosed, each person has her own claim. If they are only mentioned in your records without independent disclosure of their own health information, the claim belongs to you.

What if I am a hospital employee myself and a coworker looked at my records?

Coworker snooping cases are common, and your status as an employee does not reduce your privacy rights as a patient. Whistleblower retaliation protections may also apply if the hospital takes adverse employment action after you complain.

Are mental health, HIV, or substance use records protected more strongly?

Yes. New York Public Health Law Article 27-F applies heightened protections to HIV-related information and provides a private right of action. Mental health records are governed by Mental Hygiene Law § 33.13. Substance use records carry separate federal protections under 42 C.F.R. Part 2. West Virginia courts also recognize heightened damages where the disclosed information was especially sensitive.