- Catalina Post-Acute and Rehabilitation recently became aware of an incident where paper files containing resident and employee information were left in an unattended area. The patient data files, along with certain employee information, were left temporarily vulnerable to possible unauthorized public access.
The healthcare organization reported on its website that it found evidence on December 5, 2016 that documents containing the sensitive information of patients and employees had been left “unattended in an area where there is the potential for public access.” The unattended documents included demographic information. Diagnoses and Social Security numbers were included in some cases as well, Catalina stated.
The OCR data breach reporting tool states that 2,953 individuals were potentially affected by this incident.
Catalina said it launched an investigation into the incident and reviewed protocols in place relating to PHI storage and employee information to prevent further security issues.
The healthcare organization’s internal investigation found that it appears no patient or employee information was accessed or misused by any unauthorized individuals.
“Catalina Post-Acute and Rehabilitation is committed to the proper handling and protection of resident and employee information, and regularly assesses its systems and processes to ensure that this information is maintained and managed in accordance with State and Federal Law,” the online statement explained.
AZ hospital finds evidence of unauthorized EHR access
A recent data breach incident at Dignity Health St. Joseph’s Hospital and Medical Center has potentially put over 600 patient medical records at risk, according to a press release issued February 15 of this year.
According to a routine review of employee access to the hospital’s electronic health records, St. Joseph’s found that from October 1 through November 22, 2016 a part time hospital employee viewed sections of patient medical records without authorization or appropriate reason.
St. Joseph’s has since notified potentially impacted patients of the security breach through advisory letters.
Potentially accessed information included patient medical records, demographic information (e.g. names and dates of birth), and clinical data, such as doctor’s orders and diagnostic information.
St. Joseph’s asserts that because Social Security numbers, billing, and credit card information were not accessed during the breach, there is “no reason to believe these patients need to take any action to protect themselves against identity theft.”
“Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients,” the statement explained. “Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.”