[BreachExchange] Iowa hospital underscores risk of protected health information breaches from within

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 13 15:55:11 EDT 2016


http://medcitynews.com/2016/05/iowa-hospital-and-phi-breach/

After seven years of illegally accessing the protected health information
(PHI) of 1,620 patients, an employee at UnityPoint Health’s Allen Hospital
in Waterloo, Iowa has been reported to the Department of Health and Human
Services (HHS) for federal investigation.

Officials at the hospital say that the breach was first uncovered on March
14, 2016. The data that this employee inappropriately accessed over the
course of her seven-year stint includes patients’ names, dates of birth,
addresses, treatment information, health insurance identification
information, and medical record numbers. Social Security numbers may have
been viewed in some cases as well.

After the breach was initially discovered, Allen Hospital launched a full
review of the employee’s access history, revealing that she had begun
inappropriately accessing PHI as early as September of 2009. Allen’s vice
president for institutional advancement, Jim Waterbury commented that the
employee’s job entailed regularly accessing PHI, which accounts for the
excessive length of time it took for officials to notice that the HIPAA
breaches were occurring.

Hospital officials have escalated the issue to the HHS Office for Civil
Rights (OCR) and have taken disciplinary action against the employee.
They’ve also sent letters to affected individuals to notify them of the
breach.

In a statement, Waterbury commented on the incident, saying: “We apologize
to our affected patients, and we accept our responsibility to keep this
event from happening again.” Luckily, officials at Allan have reported that
they’ve found no evidence that would indicate that any of the patients’
data had been stolen or used illegally.

Regardless of the action that OCR pursues, HIPAA regulation makes it clear
that excessive and inappropriate access to PHI outside the scope of regular
treatment or billing is a breach of patients’ rights to privacy. Health
care organizations that allow employees to access PHI must have policies
and procedures in place to monitor their access to PHI.

Often, internal auditing and compliance-as-a-service programs can be
implemented that give administrators and security or privacy officers the
ability to monitor and document employee access to PHI. Allen Hospital has
introduced just such a program now that the breach has been brought to a
close as a means of mitigating future incidents and ensuring that their
patients’ rights to privacy are being protected and upheld.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160513/f78c9b3a/attachment.html>


More information about the BreachExchange mailing list