Two employees hacked into their employer’s information system and gathered the contact information of other employees to use during a union organizing drive. Disgruntled employees who were contacted by the union questioned how the union received their contact information. The company terminated the two employees after concluding that they had breached the company’s confidentiality rule by accessing and disseminating the employee contact information. Companies often implement such confidentiality rules to ensure that employees with access to personal information do not violate the Health Insurance Portability and Accountability Act (HIPAA).

The company had a confidentiality rule that stated a “breach of either patient or facility confidentiality is considered gross misconduct and may lead to immediate dismissal.” The policy defined “confidential information” as including, but not limited to, “patient information, physician information, personnel information, billing, purchasing and financial information.” Despite this seemingly reasonable policy, the National Labor Relations Board held that the termination was unlawful because the confidentiality rule was overly broad because it included a prohibition against utilizing employee contact information that could be used for union organizing. The Board blamed the employer for housing employee and patient data on the same system.

This case serves as yet another reminder that the activist Board is expanding beyond collective bargaining agreements and taking an interest in corporate policies and procedures. Employers should be certain to keep employee information separate from customer, client, and patient data to avoid a similar situation.