HIPAA Security Breach at Riverside Health

by Ryan Coyne | Jan 3, 2014

A new HIPAA security breach has been discovered in Virginia involving 919 patients from the Riverside Health System which runs five hospitals in the Southeast Virginia area.

The data violation did not involve tens of thousands of patients although the security breach is one of the longest running on record to date, with ePHI data being accessible since September 2009 up until the security breach was identified on November 1 last year.

The data was not accessed by outside bodies as with other recent breaches, instead a single practice nurse working at one of the hospitals accessed the records of almost 1000 patients. The breach was found in a random audit of the hospital’s IT infrastructure.

The nurse is believed to have accessed the records of 919 patients, which included Social Security numbers and medical records, although the reason for accessing the data was not given. The nurse has since been fired after contract was terminated and there is no ongoing security danger to the data.

Riverside Health System is currently taking all reasonable actions to contact patients and minimize any damage or loss caused. An apology has been sent to all patients affected and the Riverside Health System is currently implementing a number of new security measures to further protect patients.

All patients have been advised, by letter, of the unauthorized access of their medical data, with each being offered a year of credit monitoring services without charge. However, at the time of publishing, the hospital has been unable to contact 76 of the patients affected.

This breach shows that any healthcare organization can be affected by a HIPAA breach, even when there is a robust compliance program in place like the one at Riverside Health. It is important for healthcare institutions to complete a full risk assessment to identify possible weaknesses and while unauthorized access to patient records by external entities must be stopped, security controls should be implemented to limit unnecessary access to sensitive data by healthcare workers.

The Office for Civil Rights of the Department of Health and Human Services is issuing heavy financial penalties for organizations and their business associates for data breaches arising from willful neglect. Fines of $10,000 are issued for every violation with a maximum fine of $1.5 million per year. Security breaches such as the one the occurred at St. Joseph´s that have not been addressed for a number of years can prove to be an expensive mistake, although the company will have to wait until the OCR has finished its investigation to find out if a financial penalty is issued for this violation.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter