TapestryHealth recently had an impermissible disclosure linked to job sharing.
The Connecticut-based provider recently notified patients and the public about an unauthorized data disclosure. The incident, which was identified on November 3rd, 2025, involved an employee of TapestryHealth sharing patient data with an unrelated individual. The individual was employed between November 6th, 2024, and November 3rd, 2025. During this time, protected health information may have been shared without authorization. The involved information includes last names, facility information, medical record number, provider names, diagnosis and treatment information, vitals, immunizations, medications, and/or care plan goals and progress notes.
The employee involved in the incident is suspected of job sharing, meaning the employee delegated some of their job-related duties to another individual without permission from TapestryHealth. As part of that employee sharing their job-related duties, they shared protected health information. This information may have been shared without malicious intent to abuse the data, but still resulted in an impermissible disclosure. Upon learning that the employee was job-sharing, they were immediately terminated. TapestryHealth will also take additional steps to enhance employee training and technical controls to prevent similar events in the future.
While job-sharing is fairly uncommon, this has not been the only incident where data was impermissibly disclosed in relation to this activity. Earlier this year, Sentara Health notified patients of a breach caused by two suspicious employees whose real identities did not match the identities of the individuals initially hired. Under HIPAA, only authorized individuals (either those directly hired or subcontracted) can have access to protected health information. To prevent job-sharing, companies should make sure they properly audit and train employees to ensure they are the ones performing their job duties. Organizations should also be very clear about the potential repercussions of job-sharing; when it is unauthorized, it can result in violating HIPAA, which can have direct ramifications for employment and the company’s legal standing at large.
Job sharing is generally not permissible under HIPAA, however, it is possible for organizations to subcontract work out to additional individuals. Doing so would, however, require the subcontractor to be classified as a business associate and sign an agreement outlining their rules and obligations under HIPAA.
An insider threat is a person who has authorized access to data but shares it without permission. These types of breaches and threats can come from a variety of sources, like disgruntled employees hoping to cause trouble or make money, or even untrained employees who inadvertently mishandle data.