[BreachExchange] 7, 445 patients notified of University Healthcare information breach

[Audrey McNeil]

http://www.journal-news.net/news/local-news/2017/02/7445-
patients-notified-of-university-healthcare-information-breach/

More than 7,000 patients of WVU Medicine University Healthcare were
notified of a breach of unsecured personal patient protected health
information after discovering that an employee had accessed patient
information without authorization.

University Healthcare officials became aware Jan. 17, of an FBI and local
law enforcement investigation into the unauthorized access, use and
disclosure of personal information contained on the electronic systems of
University Healthcare by an employee of Berkeley Medical Center in
Martinsburg.

As soon as University Healthcare was notified of the potential breach, an
extensive internal investigation began. Through this investigation, a
connection between the employee and 113 former patients was confirmed. The
employee was suspended, then terminated as a result of her illegal conduct.

University Healthcare’s internal investigation as well as the investigation
by law enforcement confirmed that this unauthorized access began no earlier
than March 1, 2016 and is presumed to have continued until the former
employee was suspended. In working with law enforcement, University
Healthcare also learned that she inappropriately removed the patient
information by handwriting it onto paper and carrying it off the premises.

While the criminal investigation is still ongoing, authorities have
confirmed that 113 of the 7,445 individuals are victims of identity theft.
All 113 confirmed victims were contacted immediately by law enforcement.
The former employee is being criminally prosecuted.

Police found copies of drivers’ licenses with photos, ID cards, insurance
cards and/or Social Security cards in the former employee’s possession.
University Healthcare has since tracked her computer system access and
determined that in some instances she also viewed physician orders
containing diagnoses and other medical information.

University Healthcare has safeguards in place to ensure the privacy and
security of all patient health information. Because the former employee had
access to this information as part of her employment as an
authorization/prescheduling coordinator, her criminal conduct could not be
detected as part of University Healthcare’s routine IT/privacy security
checks. The former employee completed annual mandatory education on
privacy/protected health information and signed a confidentiality
agreement. A background check was also completed prior to her joining the
organization.

University Healthcare is working with local law enforcement and security
experts to notify impacted patients of the breach. Kroll, a global leader
in risk solutions, has been hired by University Healthcare to provide
identity monitoring at no cost to all 7,445 individuals for one year.
University Healthcare is also encouraging these patients to contact their
financial institutions to prevent unauthorized access to personal accounts.

Kroll has established a call center for patients who have questions related
to the data breach. Individuals may call 855-656-6592 <(855)%20656-6592>,
Monday through Friday, 9 a.m. to 6 p.m. (Eastern Standard Time) or visit
Kroll’s website at www.kroll.com for further information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170224/65d95b78/attachment.html>