UnityPoint Health of West Des Moines, Iowa reported this week that it discovered unauthorized access to its EHR system during a routine audit back on August 8 that put 1,800 patients’ data at risk.
The Sioux City Journal reports that a Unitypoint employee gave a UnityPoint third-party contractor employee password access to the healthcare network’s system because they thought the outside employee would use the access for administrative duties. Instead, they inappropriately accessed information ranging from names, home addresses, dates of birth, medical and health insurance account numbers and health information related to patient treatment. The employee accessed those records from February to August 2013 and UnityPoint believes that in 10 percent of cases (180 patients total), the patient’s Social Security number was viewed as well. In four cases, a patient’s financially-responsible party’s data was breached.
UnityPoint Health, formerly Iowa Health System, is a healthcare network that includes locations in Cedar Rapids, Des Moines, Dubuque, Fort Dodge, Peoria, Quad Cities/Muscatine, Sioux City and Waterloo. However, the organization wouldn’t say which location the breach originated in.
The breach, according to the Sioux City Journal, was reported to the FBI and patients UnityPoint mailed patients a letter. UnityPoint said in the article that it will conduct further audits while providing more employee education on password safeguarding policies that are currently in place instead of changing any internal policies. Spokeswoman Leslie Heying told the Sioux City Journal that more training is planned at the Sioux City hospital.