A former employee gained unauthorized access to several hospitals, creating a healthcare security breach.
- Three Washington hospitals are working to fix their computer systems after a healthcare security breach led to the theft of 35 computers and 34 scanners.
A former IT contractor for Franciscan Health Systems kept his active security pass months after he had completed his work for the company, according to KIRO 7 news. Specifically, the former employee accessed one hospital six times, an administrative office 24 times, and an education and support facility eight times.
“We’re going to find the discrepancies in our system and make sure it doesn’t happen again,” Scott Thompson of Franciscan Health Systems told the news source. “We’re right now taking some internal review of all those policies and procedures, to make sure we’ve figured out why this happened and make sure it doesn’t happen again.”
The contractor, Justin Pace, is charged with stealing $100,000 in computers, scanners and other equipment from three Franciscan facilities. However, no patient information was compromised, according to Thompson.
Without the necessary administrative and technical safeguards, healthcare facilities cannot guarantee that unauthorized individuals will gain access to sensitive information. Patients’ protected health information (PHI) might not have been compromised in this specific scenario, but it is a good reminder for organizations to keep policies current and make sure only authorized employees have access to certain facilities and online systems. A healthcare security breach cannot always be predicted but they can be prevented.
Boston hospital paying the price for healthcare data breach
Beth Israel Deaconess Medical Center (BIDMC) will pay $100,000 in fines over the allegations that the facility failed to protect the PHI of approximately 4,000 patients and employees in a 2012 incident.
A physician’s personal laptop was stolen in May 2012, when an unauthorized individual gained access to a BIDMC physician’s unlocked office on campus and stole the device. The laptop was unencrypted and sitting unattended on a desk. While the laptop was not hospital-issued, it was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” Massachusetts Attorney General Martha Coakley said in a statement. “To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”
BIDMC’s policy and applicable law required employees to encrypt and physically secure laptops containing any personal information and PHI, according to the release. However, the physician and members of his staff were reportedly not following these policies.
Along with the monetary fines, BIDMC will work toward ensuring that hit complies with state and federal data security laws and regulations. This includes properly tracking all portable devices such as laptops, as well as encrypting and physically securing the devices. Moreover, BIDMC will better train its staff on how to properly handle sensitive information, including PHI.