When a hospital suffers a data breach or is accused of violating a patient’s privacy rights, the usual enforcement agency is the U.S. Department of Health and Human Services Office of Civil Rights. But for a health system in central Oregon the unauthorized access of the electronic medical records of about 2,500 patients is drawing the interest of the local district attorney.

On Jan. 17, The St. Charles Health System, a four-hospital network and healthcare company located in Bend, Ore., launched an investigation and conducted an audit of all of the patient files accessed by an unauthorized health system employee who told hospital administrators she was “curious” about the files.

The audit revealed that between Oct. 8, 2014, and Jan. 16, 2017, the hospital employee may have inappropriately reviewed as many as 2,459 files containing patients’ names, addresses, and dates of birth, health insurance information, driver’s license numbers and health information such as diagnoses, physicians’ names, medications and treatment history.

The hospital is tight-lipped about some of the details. For instance, St. Charles isn’t saying yet how she gained access to the electronic medical records and what type of patient data the hospital employee was most interested in seeing.

The hospital does say the incident has been reported to various state and federal officials, including the Office of Civil Rights of the U.S. Department of Health and Human Services. That office investigates and can fine hospitals for violations of the Health Insurance Portability and Accountability Act (HIPAA), a law designed to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other healthcare providers.

But in addition to federal investigators, the Deschutes County district attorney also is investigating the data breach as a criminal matter. “I was dismayed to learn via media reports that apparently a St. Charles employee impermissibly accessed records of thousands of patients,” says Deschutes County district attorney John Hummel. “An alleged breach of this magnitude should have been reported to local police so that a proper criminal investigation could be conducted—as far as I’m aware this did not happen.”

The district attorney’s office says Hummel is seeking to determine if any criminal laws were broken and if charges should be filed. “It’s hard to say what crimes might have been committed until we dig into the facts of what happened,” Hummel says. “Based on a press release sent out by St. Charles, one potential crime appears to be Oregon’s computer crime statute.”

The Oregon computer crime law covers fraud, theft and theft of proprietary information among other areas, Hummel says. “The HHS office of civil rights would address alleged actions and inactions of St. Charles in this matter,” he says. “If I see potential crimes committed by St. Charles I’ll of course investigate that, but this investigation starts with looking at whether the actions of the person who allegedly accessed the data constituted a crime.”

St. Charles Health says is it cooperating with the investigation but says as far as it knows no crime was committed. “She (the employee) has since signed an affidavit stating that she has never used or shared any of the confidential patient information for the purpose of committing fraud, financial crimes or other crimes against the patients whose records were among those she viewed,” the hospital says.

The patients who had their electronic medical records accessed have been sent a letter of explanation and St. Charles has set up a special call center. “St. Charles takes the privacy and security of our patients’ personal health information very seriously,” says St. Charles vice president of compliance Nicole Hough. “The health system is doing everything possible to prevent a similar privacy breach from occurring in the future, including implementing additional medical record audits.”

When a cybercrime occurs the Federal Bureau of Investigation is brought in. But it is somewhat more unusual for a hospital employee to be charged with a crime, says Hadley L. Matarazzo, an attorney and partner with Faraci Lange, a Rochester, NY, law firm that handles healthcare privacy violation cases among other matters. “If theft is involved it could be a criminal investigation and these types of cases happen, but not every day.”

St. Charles has not said whether it has taken disciplinary action against the employee who accessed the patient records.