Large Hospital Breach Caused by Inside Inappropriate Access

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-46224-1.html

Bon Secours Mary Immaculate Hospital in Suffolk, Va., is notifying
about 5,000 patients after discovering a significant amount of
inappropriate access to patients’ electronic health records from two
employees inside the facility.

“During an April 2013 audit of a patient’s medical record, the health
system identified suspicious access that prompted an investigation,”
according to a notice the hospital issued. “The investigation revealed
that two members of the patient care team accessed patients’ medical
records in a manner that was inconsistent with their job functions and
hospital procedures, and inconsistent with the training they received
regarding appropriate access of patient medical records.”

The local newspaper Daily Press reports the employees were two
certified nurse assistants who have been terminated, and that the
breaches occurred between April 2012 and April 2013. The hospital
started using the EHR in April 2012 and the breach was the first
instance of a reportable security issue, a hospital official told the
newspaper.

Local and federal law enforcement agencies are investigating the
breach to determine if patient information was used illegally.
Compromised information includes patient names, dates and times of
service, provider and facility names, internal hospital medical
records and account numbers that may have included Social Security
numbers, dates of birth and treatment information.

The hospital is offering paid identity theft protection services to
affected patients.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.