[Data Privacy](https://www.govinfosecurity.com/data-privacy-c-151) , [Data Security](https://www.govinfosecurity.com/data-security-c-934) , [Healthcare](https://www.govinfosecurity.com/healthcare-c-516)DA: Sleep Center Worker Installed Secret Camera in Bathrooms============================================================Ex-Employee Faces Criminal Charges; Hospital Reports Incident as Big HIPAA Breach [Marianne Kolbasuk McGee](https://www.govinfosecurity.com/authors/marianne-kolbasuk-mcgee-i-626) ([HealthInfoSec](https://www.twitter.com/HealthInfoSec)) • June 6, 2025 [](https://www.bankinfosecurity.com/da-sleep-center-worker-installed-secret-camera-in-bathrooms-a-28611#disqus_thread) * * * * * [Credit Eligible](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* [](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* Get Permission*  Prosecutors allege that a former worker of a New York sleep clinic hid a camera in a fake smoke detector to secretly record patients and staff in the center’s bathrooms. (Image: Getty Images)A former worker at a New York hospital’s sleep disorders center has been indicted on criminal charges alleging he installed a hidden camera in the facility’s bathrooms to record videos of staff and patients. The hospital has reported the incident to federal regulators as a HIPAA breach affecting thousands.**See Also:** [How Linking Identity, Data Security Can Help Cyber Response](https://www.govinfosecurity.com/how-linking-identity-data-security-help-cyber-response-a-28191?rf=RAM_SeeAlso)While only five victims – including one child – have been identified in the recordings so far, North Shore University Hospital sleep disorder center reported the incident in May to federal regulators as a HIPAA breach affecting 13,332 individuals and involving ‘unauthorized access/disclosure.’NSUH is part of nonprofit Northwell Health, the largest integrated healthcare system in New York state.Nassau County’s district attorney [alleges](https://nassauda.org/CivicAlerts.aspx?AID=1758) that the former NSUH employee, Sanjai Syamaprasad, installed hidden cameras inside fake smoke detectors in multiple bathrooms of the sleep center and public bathrooms of the healthcare facility in Great Neck, Long Island, N.Y., between July 2023 and April 2024 and that he destroyed evidence of the recordings.Prosecutors said the incident potentially affected patients of the sleep center as well as Northwell’s STARS Rehabilitation, which is located in the same building as the sleep study facility.Prosecutors say Syamaprasad used a Velcro patch to attach a fake smoker detector with a hidden camera onto the walls of multiple staff and patient bathrooms at the sleep center, and in public bathrooms of the rehab center.At the end of his shifts, Syamaprasad allegedly removed the phony smoke detector and downloaded the camera footage onto an SD card.’We do not have specific knowledge about which patients may have been recorded, what images were contained in the video recordings or how many recordings contained identifiable images, such as facial images,’ NSUH [said](https://www.northwell.edu/sites/northwell.edu/files/2025-05/nsuh-sleep-disorders-center-substitute-notice-2025.pdf) in a breach notice issued on May 23.NSUH said that ‘out of an abundance of caution,’ it notified all patients who visited the facility between when the DA’s Office determined that Syamaprasad purchased the recording device – on Aug. 2, 2022 – until the date the worker was prevented from entering the premises on April 23, 2024.NSUH said it does not know when and how frequently the former employee used the recording device after it was purchased.Nassau County’s district attorney alleges Syamaprasad installed hidden cameras inside decoy smoke detectors in the bathrooms between July 2023 and April 2024 and that he destroyed evidence of the recordings.During that period, the cameras recorded ‘approximately hundreds of individuals while they were using the bathrooms,’ prosecutors said. ‘Based on images recovered and reviewed by Nassau County DA investigators, five individuals were identified on the videos, including a child.’Prosecutors also allege that Syamaprasad watched some of the videos on his computer while at work. ‘Knowing that law enforcement was closing in, the defendant allegedly tried to cover his tracks, breaking up and disposing of the memory card to destroy any evidence of the recordings,’ said Anne Donnelly, Nassau County district attorney.  North Shore University Hospital is part of Northwell Health, the largest health system in New York state. (Image: Northwell Health)Syamaprasad was arraigned in April on grand jury indictment of felony charges, including five counts of unlawful surveillance in the second degree and two counts of tampering with physical evidence. Syamaprasad, who pleaded not guilty and was released on his own recognizance, is slated for a court hearing on June 12. He faces up to 16 month to four years in prison if convicted.Syamaprasad’s attorney declined Information Security Media Group’s request for comment on the allegations.’We were deeply disturbed when we first learned information regarding the conduct of the former employee, who has not worked for us for over one year,’ said in a statement to ISMG.’We immediately revoked that individual’s access to our premises, reported him to the Nassau County District Attorney’s Office and have fully cooperated with the DA’s Office in their investigation and prosecution of him. Safeguarding the privacy of our patients and employees will always remain a high priority for us.’Northwell did not immediately respond to ISMG’s request for additional details about the incident, including Syamaprasad’s former job position at the entity, and how long he worked there.In its breach notice, NSHU said it provides ‘annual and ongoing training to all staff on the importance of protecting patient confidentiality and safeguarding health information.’When the hospital learned of information related to Syamaprasad’s alleged improper conduct, ‘he was prevented from returning to the premises and we promptly referred the matter to the DA’s Office and are cooperating with their investigation and prosecution of the former employee,’ NSUH said.### Biometric Data RiskRegulatory attorney Rachel Rose, who is not involved in the NSUH case, said the hospital was correct in reporting the video camera recording incident to federal regulators as a HIPAA breach based on the patients facial and other potential bodily images allegedly being captured.’Biometrics are one of the 18 identifying factors,’ she said. ‘The reason this counts as protected health information and subsequently a breach is that it occurred in a clinical setting, so the individual patient could be tied back to the provider and the center is very specific in terms of the type of care that it renders,’ she said.
‘Moreover, the perpetrator was a former employee who would have known who the individuals were because of either direct or indirect access to the chart,’ she said. ‘State laws in the areas of privacy and biometrics are also important considerations.’Besides the HIPAA considerations, Texas, Illinois, California and Washington State all have robust biometric laws and consumer privacy laws, she said. ‘Unlawful surveillance opens a venerable ‘Pandora’s box’ of legal implications, which are often criminal,’ she said.’What is most disturbing about this incident is the fact that minor children were allegedly videoed in a restroom setting,’ she said. ‘Presumably, the covered entity ran comprehensive background checks before the employee was hired.’The allegations against Syamaprasad is among several other recent disturbing insider privacy breach cases to surface in healthcare settings.The University of Maryland Medical Center is facing a class action lawsuit filed in April that alleges one of its pharmacists installed keylogging software on 400 laptops and workstations over a decade to spy on the personal lives and intimate moments of at least 80 coworkers (see: [*Lawsuit: Hospital Pharmacist Spied on Coworkers for Decade*](/lawsuit-hospital-pharmacist-spied-on-coworkers-for-decade-a-27952)).That lawsuit alleges, among other claims, that the former UMMC pharmacist used login credentials of coworkers to gain remote access to webcams to record videos of young doctors and medical residents in private moments at home and at work, such as when UMMC coworkers who were new mothers pumped breast milk in closed treatment rooms.Rose said those disturbing recent insider breach cases offer several important lessons, including the use of known recording devices.When those types of devices that are used in healthcare environments, organizations should ensure that the equipment is encrypted, patches are updated and access is limited to two individuals, she said.’This mitigates the risk that an employee or external actor can hack into or backdoor a path into the biometrics and recordings,’ she said. Rose also suggests entities consult with local law enforcement on what can be utilized to perform ‘sweeps’ for bugs and other recording devices, she said.Finally, employee training, background checks and policies and procedures are critical, she adds.’The top lessons are that continued vigilance is required and that illegal surveillance can lead to criminal liability,’ she said.  #### [Marianne Kolbasuk McGee](https://www.govinfosecurity.com/authors/marianne-kolbasuk-mcgee-i-626)*Executive Editor, HealthcareInfoSecurity, ISMG* McGee is executive editor of Information Security Media Group’s HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek’s healthcare IT media site.[](https://twitter.com/HealthInfoSec) [](mailto:mmcgee@ismg.io)  ##### [Securing Data in the AI Era](https://www.govinfosecurity.com/securing-data-in-ai-era-a-27986?rf=RAM_Resources) ##### [Incident Ready: Strategies for Cryptography](https://www.govinfosecurity.com/incident-ready-strategies-for-cryptography-a-27985?rf=RAM_Resources) ##### [Data Dialogues: Protecting Personal Data](https://www.govinfosecurity.com/data-dialogues-protecting-personal-data-a-27984?rf=RAM_Resources) ##### [NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical](https://www.govinfosecurity.com/nhs-ransomware-attack-healthcare-industry-infrastructures-are-critical-a-25547?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/securing-deal-velocity-for-healthcare-mad-w-11871?rf=RAM_Resources)##### [Securing Deal Velocity for Healthcare M-&A/D](https://www.govinfosecurity.com/whitepapers/securing-deal-velocity-for-healthcare-mad-w-11871?rf=RAM_Resources) [Data Privacy](https://www.govinfosecurity.com/data-privacy-c-151)##### [US Supreme Court Grants DOGE Unfettered Access to SSA Systems](https://www.govinfosecurity.com/us-supreme-court-grants-doge-unfettered-access-to-ssa-systems-a-28614) [Critical Infrastructure Security](https://www.govinfosecurity.com/critical-infrastructure-security-c-525)##### [EU Prepares for Transnational Cyberattacks](https://www.govinfosecurity.com/eu-prepares-for-transnational-cyberattacks-a-28613) [Data Privacy](https://www.govinfosecurity.com/data-privacy-c-151)##### [DA: Sleep Center Worker Installed Secret Camera in Bathrooms](https://www.govinfosecurity.com/da-sleep-center-worker-installed-secret-camera-in-bathrooms-a-28611) [Cybersecurity Spending](https://www.govinfosecurity.com/cybersecurity-spending-c-664)##### [‘There Will Be Pain’: CISA Cuts Spark Bipartisan Concerns](https://www.govinfosecurity.com/there-will-be-pain-cisa-cuts-spark-bipartisan-concerns-a-28610) [Artificial Intelligence -& Machine Learning](https://www.govinfosecurity.com/artificial-intelligence-machine-learning-c-469)##### [ISMG Editors: Infosecurity Europe Conference 2025 Wrap-Up](https://www.govinfosecurity.com/ismg-editors-infosecurity-europe-conference-2025-wrap-up-a-28609)[Overview](https://www.govinfosecurity.com/webinars/risk-management-framework-learn-from-nist-w-255) * Twitter* Facebook* LinkedIn* * * From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:* Understand the current cyber threats to all public and private sector organizations;* Develop a multi-tiered risk management approach built upon governance, processes and information systems;* Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.Presented By———— [Presented By](/authors/ron-ross-i-558)—————————————#### [Ron Ross](/authors/ron-ross-i-558)*Sr. Computer Scientist -& Information Security Researcher, National Institute of Standards and Technology (NIST)*
Related Tags:
NAICS: 62 – Health Care And Social Assistance
NAICS: 623 – Nursing And Residential Care Facilities
NAICS: 622 – Hospitals
Blog: GovInfoSecurity
Search Victim-Owned Websites
Gather Victim Org Information: Identify Roles
Gather Victim Org Information
Gather Victim Identity Information: Employee Names
Gather Victim Identity Information
Associated Indicators:
healthcareinfosecurity.com