A Southern Oregon doctor with access to the medical records of Asante patients allegedly looked up patients’ information without a valid clinical reason over more than eight years.

A recent investigation conducted by Asante determined that Paul Hoffman, a general surgery specialist who worked in Asante Ashland Community Hospital, allegedly accessed patients’ health information between June 2014 and January 2023.

“This is the worst case of snooping in Asante’s history,” Erick Edtl, director and chief compliance and privacy officer at Asante, said in a release. “Dr. Hoffman’s actions are not representative of Asante’s culture and could have a serious impact on our patients, our employees and their trust in Asante.”

The privacy breach was detailed in a letter to an Asante patient, who passed it along to the Rogue Valley Times.

“Our investigation indicates that Dr. Hoffman accessed records out of curiosity rather than for any fraudulent purposes,” the letter, signed by Edtl, reads.

The letter says that Hoffman, though not employed by Asante, “had access to Asante’s electronic health record system in order to treat his patients when they are seen at Asante facilities.”

The letter tells the patient that the information Hoffman accessed “may have included your name, demographic information, and diagnostic and treatment information.”

Hoffman did not have access to the patient’s “full social security number, driver’s license number, or payment card or bank account information,” the letter emphasizes.

The letter advises that the incident did not put the patient at risk of identity theft, and that precautionary measures on the patient’s part weren’t necessary as a result of the breach.

Asante has terminated Hoffman’s access to its electronic health record system and reported the doctor’s conduct to the Oregon Medical Board, the letter says.

The case will go through Asante’s medical executive committee review, according to Lauren Van Sickle, Asante’s communications manager. The committee will determine whether Hoffman’s privileges will be revoked at Asante’s hospitals.

Hoffman could not immediately be reached for comment.

It wasn’t clear how many patients had their information accessed by Hoffman, and how many received a similar letter.

Van Sickle said the doctor’s actions came to light when an employee overheard a conversation involving Hoffman.

The doctor’s “snooping” began before Asante’s current electronic auditing system was in place for tracking inappropriate access, Van Sickle said. In addition, the irregularity did not stand out because Hoffman was the only practicing wound care provider working in Asante’s wound clinic, she said.

“There wasn’t a ‘like’ provider to compare his access to,” she said, “and so that’s why there was never any warning or any notification that it was out of the realm of normal.”

The letter to the patient says: “In light of this incident, Asante is evaluating whether additional measures can be put in place to more quickly detect potentially inappropriate access to medical information by authorized users.”

Van Sickle said Hoffman knew that what he was doing was unethical. If an investigation had found that an Asante employee had engaged in similar behavior, however many times, that person would be fired, she said.

“We work really hard to have the trust of our patients and this community, and that’s why we take something like this breach so seriously, and why we have a zero-tolerance policy,” Van Sickle said.

She added: “We’re deeply disappointed in what happened, and we are doing all that we can to regain or retain the trust of our patients.”