The former St. Charles Health System employee who inappropriately viewed the medical records of 2,459 patients is facing criminal charges that carry a maximum penalty of two years in jail.

Prineville resident Dawnielle Vaca, 35, viewed the records while working as a certified nursing assistant. The Deschutes County District Attorney filed two counts of computer crimes, both Class A misdemeanors.

The records, accessed between Oct. 8, 2014, and Jan. 16, included patients’ diagnoses, their physicians’ names, medical histories, medications and treatment information. They also included names, addresses, birthdates and health insurance information.

District Attorney John Hummel said he can’t think of anything more personal than someone’s medical record.

“Looking at someone’s medical records is not like looking at someone’s housing records or employment records,” he said. “We’re sharing details with our providers about our mental health history, maybe our relationship issues. You might be having struggles with loved ones. We talk about our medication use.”

During his investigation, Hummel said he received unsolicited phone calls from some of the affected patients, who told him they felt violated. St. Charles offered a year of free credit monitoring and identity restoration services to everyone affected.

Vaca declined to comment when reached by phone Tuesday. She holds an active certified nursing assistant license in Oregon and the state Board of Nursing website lists no disciplinary action on her license. Ruby Jason, the board’s executive director, said her office investigates any time criminal charges are filed against its licensees and that she was aware of the charges against Vaca.

Hummel said his investigation did not find any evidence that patients were harmed financially. Vaca was not attempting to commit fraud, financial crimes or damage St. Charles’ computer system, he said. If she had been, Hummel said the charges would have been felonies.

Rather, Hummel said Vaca looked at the records out of curiosity. Because she has no prior criminal history, Hummel said he won’t pursue the maximum penalty the charges carry. Vaca’s first hearing is scheduled for July 27.

Hummel declined to release any documents from his and the Bend Police Department’s joint investigation into the case. The investigation is currently on hold, but could proceed if Vaca decides to pursue a trial rather than pleading guilty, Hummel said.

St. Charles learned of the breach and launched its investigation Jan. 16. A spokeswoman declined to say when Vaca was fired, but Hummel said she had already been fired when he began his investigation in March.

Hummel criticized St. Charles’ decision not to notify the police of the breach. While no law directs the health system to do so, he said in his mind, “it’s common sense.” Hummel said he learned about the breach through media reports and notified the Bend Police Department himself.

“I felt the impact to their patients, my constituents, was such that this should have been reported to law enforcement,” he said.

St. Charles spokeswoman Lisa Goodman said the health system followed federal and state laws by notifying the affected patients, the state attorney general and the secretary of the U.S. Department of Health and Human Services. Vaca worked at St. Charles Bend and Madras, she said.

Ultimately, Hummel said he’s concerned a breach like this could prevent people from sharing sensitive information with their medical providers, which could affect their health. He said it’s especially difficult to share mental health struggles due to the fear of stigma.

“To think that people could get to the point where they’re brave enough to come forward under the pretense of privacy and then know that somebody read your records, that’s hard,” he said. “So when I become aware of a breach like this, I’ll do what I have to do to make sure that offenders are held accountable.”

—Reporter: 541-383-0304, tbannow@bendbulletin.com

17694111