A new HIPAA security breach has been discovered in Virginia involving 919 patients from the Riverside Health System which runs five hospitals in the Southeast Virginia area.
The data violation did not involve tens of thousands of patients although the security breach is one of the longest running on record to date, with ePHI data being accessible since September 2009 up until the security breach was identified on November 1 last year.
The data was not accessed by outside bodies as with other recent breaches, instead a single practice nurse working at one of the hospitals accessed the records of almost 1000 patients. The breach was found in a random audit of the hospital’s IT infrastructure.
The nurse is believed to have accessed the records of 919 patients, which included Social Security numbers and medical records, although the reason for accessing the data was not given. The nurse has since been fired after contract was terminated and there is no ongoing security danger to the data.
Riverside Health System is currently taking all reasonable actions to contact patients and minimize any damage or loss caused. An apology has been sent to all patients affected and the Riverside Health System is currently implementing a number of new security measures to further protect patients.
All patients have been advised, by letter, of the unauthorized access of their medical data, with each being offered a year of credit monitoring services without charge. However, at the time of publishing, the hospital has been unable to contact 76 of the patients affected.
This breach shows that any healthcare organization can be affected by a HIPAA breach, even when there is a robust compliance program in place like the one at Riverside Health. It is important for healthcare institutions to complete a full risk assessment to identify possible weaknesses and while unauthorized access to patient records by external entities must be stopped, security controls should be implemented to limit unnecessary access to sensitive data by healthcare workers.
The Office for Civil Rights of the Department of Health and Human Services is issuing heavy financial penalties for organizations and their business associates for data breaches arising from willful neglect. Fines of $10,000 are issued for every violation with a maximum fine of $1.5 million per year. Security breaches such as the one the occurred at St. Joseph´s that have not been addressed for a number of years can prove to be an expensive mistake, although the company will have to wait until the OCR has finished its investigation to find out if a financial penalty is issued for this violation.