Healthcare Information Security

HIPAA and Compliance News

Healthcare Data Breach Drama Continues for UMass Memorial

By Elizabeth Snell

A Massachusetts hospital is facing a civil lawsuit from a patient whose PHI was potentially exposed in a healthcare data breach.

- The University of Massachusetts Memorial Medical Center (UMMMC) of Worcester, Mass. is facing a civil lawsuit over a healthcare data breach from last May.


The plaintiff, Robert Jackson, and his lawyers claim that the year of free credit monitoring offered by the hospital is not enough, according to the Worcester Telegram & Gazette. Moreover, the same offer was made to the 2,400 patients whose protected health information (PHI) was potentially exposed in May’s security breach.

The patients’ information was inappropriately accessed by a former UMMMC employee, who allegedly stole the identities of approximately 22 people to buy cellphones and utility services via the internet. However, the suspect pleaded not guilty to multiple charges of identity fraud and other charges in Dudley District Court earlier this month, according to the news source.

As previously reported by, the hospital stated that it waited two months to notify patients because it wanted to determine how long the former employee had access to the data. UMMMC also said that to prevent a similar incident from happening in the future, it is re-enforcing staff training on how to protect patient information. Additionally, the hospital said it would further strengthen its program, “including identifying additional measures and enhancements to existing safeguards to protect patient information.”

The plaintiff’s lawyers also want UMMMC to pay $3,000 per class member and provide broader identification security for the affected patients. Moreover, hospital should provide more details of the breach for each of the affected patients, the legal team told the Telegram & Gazette. Regular accounting disclosures should also be given to the putative class for 10 years, and UMMMC needs to pay for a health-privacy expert for the plaintiff and the potential class-action group.

“On behalf of our client we have gone to great lengths to educate him about what medical identity theft is and more importantly, to provide him the tools which will allow him to determine whether he may already be a victim or conversely, to prevent him from becoming a victim,” John Yasi, one of the lawyers, told the news source.

New Mexico facility misplaces patient records

A New Mexico healthcare organization is attempting to determine if a healthcare data breach took place earlier this year. KOB 4, a local news station, reported that it analyzed roughly two months of emails between staff members at the University of New Mexico Cancer Center (UNMCC).

Two incidents in the last year have raised concerns over whether the facility is properly protecting patients’ PHI. The first one allegedly occurred when a UNMCC doctor left two patients’ files in the parking lot of Lovelace Women’s Hospital. However, the facility located the files and returned them.

The second incident reportedly involved a missing CD containing a patient’s information. A few days after staff members believe it went missing within the facility, they reviewed security camera footage and questioned a housekeeper. According to the news source, it’s unclear if staff members ever located the CD.

“The University of New Mexico does protect patient information,” said UNM medical facilities’ privacy officer Sophia Collaros. “It does protect the confidentiality of it, and is very cognizant of the need to do that.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...