- Colorado-based UCHealth is notifying approximately 800 patients of an internal healthcare data breach that resulted from an employee inappropriately accessing electronic patient files.
According to a hospital statement, the incident was discovered during one of the hospital’s precautionary HIPAA audits. When the hospital discovered the breach, it determined that the employee was accessing electronic patient records out of personal curiosity. There is reportedly no reason to believe that the employee has shared the accessed information with anyone else.
Disclosed patient information potentially includes patient names, addresses, phone numbers, dates of birth, insurance information, and descriptions of care and treatment plans received during visits.
According to UCHealth, the employee did not access Social Security numbers or other financial and billing information.
UCHealth explained in its statement that it takes matters of patient privacy seriously, and is therefore taking several measures to ensure incidents like this do not happen again. Specifically, UCHealth is concentrating on administrative and employee security training.
UCHealth takes its obligations to protect healthcare information very seriously. This staff member’s employment with UCHealth has been terminated. Re-training has been given to all employees to re-emphasize that staff can only view health records of patients for whom they are actively providing care. All employees also will continue to receive annual training on how to properly access healthcare information.
Unfortunately, employees accessing prohibited patient files is not an uncommon occurrence. In October of this year, an employee at Bon Secours St. Francis Health System inappropriately accessed patient information.
In total, the St. Francis employee accessed nearly 2,000 patients’ information, along with several employees’ information. This healthcare data breach resulted in several fraudulent charges on individuals’ health insurance plans.
St. Francis responded to the breach in a similar fashion to UCHealth by first terminating the employee, and then performing additional staff training on proper security procedure.
“The training will remind our employees that inappropriate use, access or disclosure of patients’ information will result in serious consequences up to and including termination and, where applicable, the involvement of law enforcement,” St. Francis Health explained.
Healthcare data breaches have also been hitting the state of Colorado. In August of this year, 1,622 residents’ information was disclosed as a result of mismailing. Several individuals reportedly received letters containing PHI that were not intended for them.
Breached information included patient names, addresses, state identification numbers or Medicaid ID numbers, family member names, employers’ names, income, amount of Advanced Premium Tax Credit, and whether or not patients were approved for state healthcare programs. For approximately 50 individuals, the mismailed letters also disclosed dates of birth.