The medical histories of 769 patients at Lowell General Hospital have been accessed by an member of staff without any valid work reason.
By accessing the medical records, the member of staff breached the Massachusetts- based hospital policies and violated the privacy of hospital patients. Once the breach was discovered, and completion of the following investigation, the employee was fired. Lowell General Hospital was content that only one person was involved in the theft, and that this was not a widespread issue at the hospital.
Patients affected by the security incident have been alerted and a breach notice has been published on the hospital website. Patients have been advised that the types of information accessed by the former member of staff included names, dates of birth, medical diagnoses, and information relating to treatments given to patients.
No financial details, health insurance details, or Social Security numbers were viewed by the employee, and the investigation found no proof to suggest that any of the information that was taken had been misused.
Lowell General Hospital gives training to all employees, and clearly instructs employees that the accessing of medical histories without a legitimate reason is strictly forbidden. While checks are performed to ensure that employees are abiding by hospital policies, the incident has resulted in Lowell General Hospital conducting a review of its privacy and security policies relating to its medical record system. Improvements will be made to ensure that any future cases of snooping are discovered quickly. The hospital will continue to provide ongoing training to employees on patient privacy.
What is not obvious is how long the member of staff was able to improperly access medical histories before the privacy violations were found. The number of patients affected by the incident suggests the improper access had been ongoing for many months.
HIPAA requires covered groups and companies and their business associates to continuously monitor PHI access logs for unauthorized access. While “regularly” is open to interpretation, it is a good best practice to complete continual audits of access logs to help find unauthorized activity.
These HIPAA audits can be completed manually, although tools are available to minimize the administrative burden. Those tools can be either rule-based or behavior-based. The former requires regulations to be set which will set off alerts if they are breached, while behavior based systems learn about normal access and trigger alerts if any anomalies are noticed. These automated solutions can assist with finding inappropriate activity much more quickly, allowing quick measures to be adapted when employees view medical records.