UC Irvine Medical Center announced last week that an employee viewed thousands of patient records over a four-year period “without a job-related purpose,” potentially compromising the information of 4,859 patients and leading to a health data breach.
UC Irvine officials discovered on March 13, 2015, that an employee had viewed records between June 2011 and March 2015. Some PHI may have been viewed, according to a medical center statement.
Information inappropriately accessed includes names, dates of birth, gender, medical record numbers, height, weight, medical center account numbers, allergy information, home address, medical documentation, diagnoses, test orders and results, medications, employment status, and the names of patient’s health plans and employers. However, Social Security numbers, driver’s licenses or state ID card numbers, and credit or debit card information were not accessed.
Hospital spokesperson John Murray told The Orange County Register that there is no evidence that the records were downloaded or distributed via e-mail. Murray added that while he could not comment on whether or not the employee in question still worked for UC Irvine, the employee was disciplined and no longer has access to the medical center’s computer systems.
A copy of notification letters being sent patients was posted on the California Office of Attorney General website. In that letter, UC Irvine explained why patients were being alerted of this incident months after the initial discovery was made:
“Due to its on-going investigation, local law enforcement asked us not to notify patients right away, because sending out notifications could have interfered with its investigation. Local law enforcement has now informed us that we are free to notify patients.”
The notification letter added that the hospital “hired independent experts in computer forensics to conduct a thorough investigation,” after the breach discovery. Those experts reported that there was no evidence that patient information was removed from the medical center. Local law enforcement were also notified, and they are conducting an on-going investigation. The letter also verified that the employee’s access to medical center computer systems was removed and that “disciplinary action” was imposed.
Affected patients will also be offered one year of free credit monitoring and identity theft protection, according to UC Irvine.
This is not the first health data security incident that UC Irvine has faced in recent years. Just over one year ago, the medical center reported that 1,813 students and some non-students were impacted by a data breach involving keylogging software malware.
The security office learned that the breach had affected three student health center computers on March 26, 2014 and that they had been infected for about six weeks.
Patient names, health or dental insurance numbers, CPT code(s), ICD9 code(s) and/or diagnoses and student ID numbers may have been transmitted to unauthorized servers.
“UC Irvine is committed to maintaining the privacy of students’ and non-student patients’ personally identified information and takes many precautions for the security of personal and medical information,” the medical center said at the time. “The University is continually modifying its systems and practices to enhance the security of sensitive information.”
View the original content and more from this author here: http://ift.tt/1SFZVMp
from health IT caucus http://ift.tt/1TKyW3J
via IFTTT
No comments:
Post a Comment