- ProMedica, a healthcare organization in Ohio, has investigated a potential healthcare data breach after discovering several employees had inappropriately accessed the private medical records for patients they were not directly treating.
According to a statement on its website, two ProMedica hospitals have notified 3,500 patients regarding the healthcare data security incident. Individuals may have had their names, addresses, phone numbers, dates of birth, insurance information, diagnoses, medications, and other clinical information exposed through the EHR system.
The healthcare organization stated that it learned of the inappropriate access on April 7, but the patient privacy violations had occurred between May 1, 2014 and April 26, 2016. ProMedica noted that the staff members involved did not have valid business or clinical reasons for accessing the patient information in question.
After an internal audit, ProMedica concluded that the employees did not intend to keep or use the patient data accessed in an inappropriate manner. But, the healthcare organization has taken “appropriate disciplinary action” against the employees and it has terminated some staff members for their involvement in the incident.
To prevent other possible healthcare data breaches, the healthcare organization stated that it has conducted additional staff training regarding acceptable patient data access and implemented a more proactive auditing program that involves software monitoring tools that track staff activity on the EHR system.
An article from The Blade elaborated on the healthcare data security incident by reporting that another employee had tipped off hospital administration about the improper access of patient data.
ProMedica’s president at both hospitals, Julie Yaroch, also told The Blade that the investigation had taken so long because the healthcare organization lacked the “necessary software.”
“This is a very serious event,” added Yaroch.
University of NM Hospital notifies over 2,800 patients of possible breach
The University of New Mexico Hospital has recently reported a potential healthcare data breach that resulted in the exposure of healthcare data for 2,827 patients, reported a statement on its website.
Some patients may have had their names, provider names, dates of service, and descriptions of medical services, such as X-ray or flu shot information, disclosed after their information was mailed to an another address.
The hospital stated that 33 invoice documents were mistakenly mailed to 18 addresses sometime between December 22, 2015 and April 2, 2016. Invoices contained patient information for several individuals. The possible breach was caused by a technical error in the hospital’s billing systems.
University of New Mexico Hospital noted that no financial, health insurance, or detailed treatment information was involved in the incident. The invoices also did not include dates of birth, Social Security numbers, or medical record numbers.
“UNM Hospital is committed to protecting the privacy and confidential health information of all of our patients, and we take this incident very seriously,” said Chief Privacy Officer of the University of New Mexico Health Sciences Center Sarah Morrow. “We have thoroughly investigated and identified the technical issues that lead to the erroneous mailings, and we are monitoring the system to ensure this does not happen again.”
AZ healthcare system reports exposure of employee information
Employees at an Arizona-based healthcare system are being notified of a possible data security event after a break-in occurred in March, according to a notification letter on its website.
Mountain Park Health Center reported that employees may have had their personnel files exposed when burglars gained access to an office on March 22. The unauthorized parties were able to open locked file cabinets and go through the documents in the drawers.
While no employee files were reported stolen, individuals may have had their names, addresses, Social Security numbers, dates of birth, and some financial information exposed by the incident.
The healthcare system has contacted local law enforcements and cooperated with an investigation, confirmed the letter. Mountain Park Health Center has also notified all potentially affected individuals and offered them complimentary credit monitoring and identity protection services for a year.
To prevent future data security incidents, the healthcare system has re-keyed all doors and cabinets and researched additional security systems.
Mountain Park Health Center did not provide information on how many individuals may have been affected by the event.
Mismailing at medical center causes potential healthcare data breach
Illinois-based Loyola University Medical Center has recently announced a potential patient privacy violation after billing statements were possibly mailed to the wrong individuals.
In February, the medical center launched a project to update and obtain accurate addresses for patients. On April 5, Loyola University Medical Center discovered that some billing statements may have been sent to some of the unverified addresses that were part of the project.
Patient information on the billing statements included names, account numbers, dates of service, balances due, procedure codes, and general descriptions of medical services. The medical center confirmed that Social Security numbers and other financial information were not involved in the data security incident.
The statement did not disclose how many individuals were affected by the possible healthcare data security incident.
However, the medical center reported that it was worked to improve its patient privacy measures.
“Loyola University Medical Center has taken steps including but not limited to adding more data elements in the address search query and calling certain patients prior to mailings to revise its address research projects to ensure billing statements containing patient information are being mailed to accurate addresses,” explained the statement.