- Massachusetts-based Tewksbury Hospital recently discovered evidence of an incident of unauthorized EHR access potentially creating a PHI data breach.
In April of 2017, a former Tewksbury Hospital patient stated an unauthorized individual may have accessed their electronic medical record inappropriately. A subsequent review of the incident showed a hospital employee had may have accessed the former patient’s health record without proper justification.
This incident led to further investigation of the employee’s use of EHRs at the hospital.
Investigators concluded the employee had accessed the EHRs of over 1,000 other current and former patients, according to WCVB Boston.
Individuals potentially impacted by the incident include patients of Tewksbury Hospital between 2003 and May 2017.
Potentially accessed information included patient names, addresses, phone numbers, dates of birth, gender, diagnoses, and other information regarding medical treatment.
The employee may also have accessed the Social Security numbers of some patients.
The offending employee has since been terminated and no longer has access to the hospital’s HER system.
Additionally, Tewksbury Hospital stated there exists no evidence suggesting any patient information has been misused in any way.
The hospital issued written notices to all patients that may have been affected by the incident. The Massachusetts Attorney General’s Office, the Massachusetts Office for Consumer Affairs and Business Regulation, and OCR have all been alerted of the incident.
“To reduce the chance of future incidents like this occurring, we are reviewing our policies regarding access to the electronic medical records system,” read a statement on the Massachusetts Health and Human Services website. “We are also reassessing how we review our workforce members’ use of the electronic medical records system, and we will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.”
Tewksbury hospital has encouraged all concerned individuals to call a toll free number for further information regarding the incident.
Virus encrypts patient information at PA healthcare group
On May 16, 2017, Women’s Healthcare Group of Pennsylvania found a server and workstation at one of its practice locations had been infected by a virus that blocked access to system files.
Women’s Healthcare staff immediately removed the affected server and workstation from its network and launched an investigation into the incident with the help of a computer forensics team.
The healthcare group also contacted local FBI authorities and filed an incident report.
From its investigation, Women’s Healthcare learned external hackers had gained access to its systems as early as January of 2017 via a security vulnerability.
Healthcare group officials stated the virus was propagated through this vulnerability, allowing for unauthorized access to a limited amount of patient information. While some files were encrypted, the healthcare group stated it has been unable to determine whether any specific patient information has been acquired or viewed by hackers.
Women’s Healthcare was able to restore encrypted files from a backup server and stated the incident had no effect on its ability to care for its patients.
Potentially accessed information included patient names, addresses, dates of birth, Social Security numbers, blood types, race, employers, insurance information, diagnoses, and physician names.
No patient driver’s licenses, credit card numbers, or other financial information was stored on the infected server.
Women’s Healthcare sent notices to all potentially impacted individuals with instructions on how to receive free credit monitoring and identity theft services to protect their information.
The healthcare group also set up a toll free call center to offer concerned patients further information regarding the incident.
Women’s Healthcare did not specify how many patients were potentially impacted by the breach.
Paper health records containing patient information stolen in burglary
Vision Care Specialists, Inc. (VCS) recently suffered a burglary in which certain paper records containing patient information was stolen.
On May 22, 2017, VCS was informed its administrative office had been burglarized on or around May 20, 2017, according to a VCS statement.
Upon learning of the incident, VCS immediately contained law enforcement to investigate the incident.
The healthcare organization assessed the damage and determined paper records had been stolen.
Information included in the stolen records may have included patient names, dates of birth, Social Security numbers, medical information, diagnoses information, health insurance account numbers, and financial information.
Currently, there is no evidence to suggest any information has been misused in any way.
VCS hired a third-party forensic investigator to find out whether there had been unauthorized access to any information stored in electronic format on the VCS EHR system.
The organization determined there were no signs of any unauthorized access to any information contained within its computer system.
VCS explained it is taking steps to enhance its security measures to prevent further problems. Additionally, the healthcare organization is mailing notices to all patients whose data was included within the stolen records.
Potentially impacted patients will also have the opportunity to access one year of free credit monitoring services.
The organization also set up a toll free call center to answer any questions patients may have regarding the safety of their information.
VCS did not reveal in its statement how many individuals were affected by the incident.
10 patient health records stolen from OK hospital in identity theft scheme
Ten medical records were stolen from a storage building belonging to Mercy Health Love County Hospital, according to KXII Fox News 12.
The local news station stated two identity theft arrests were made last month in connection to the stolen records, as well as stolen mail.
"We've been violated as a hospital, the community's been violated, and we suffered the theft of some records that was inappropriate, and will not happen again," Mercy Health Love County Administrator Richard Barker told the news source.
Suspected thief Lane Miller worked as a licensed practical nurse for Mercy Health until the start of this year. She reportedly returned to the hospital to break in and steal patient information.
"These buildings are secured in various ways, with three digit security combinations, and these combinations are changed periodically," Barker said. "They weren't changed soon enough to prevent this theft, and I take responsibility for that."
Miller and accomplice Robert Bond were arrested in June following the discovery of evidence linking the two to several reported identity thefts throughout Oklahoma totaling over $300,000.
Barker stated the hospital has taken all necessary to steps to ensure the facility is more secure in the future.
"Our security measures have changed dramatically, and we are going to make sure this never happens again, so we want to maintain the confidence of the community," Barker said.
OCR has also been alerted of the incident. However, because the breach was small, it is unlikely there will be a federal investigation, stated Barker.
Mercy Health notified all 10 affected patients of the incident and offered free credit support services to each individual.