HIPAA Security Breach at Riverside Health

by | Jan 3, 2014

A new HIPAA security breach has been discovered in Virginia involving 919 patients from the Riverside Health System which runs five hospitals in the Southeast Virginia area.

The data violation did not involve tens of thousands of patients although the security breach is one of the longest running on record to date, with ePHI data being accessible since September 2009 up until the security breach was identified on November 1 last year.

The data was not accessed by outside bodies as with other recent breaches, instead a single practice nurse working at one of the hospitals accessed the records of almost 1000 patients. The breach was found in a random audit of the hospital’s IT infrastructure.

The nurse is believed to have accessed the records of 919 patients, which included Social Security numbers and medical records, although the reason for accessing the data was not given. The nurse has since been fired after contract was terminated and there is no ongoing security danger to the data.

Riverside Health System is currently taking all reasonable actions to contact patients and minimize any damage or loss caused. An apology has been sent to all patients affected and the Riverside Health System is currently implementing a number of new security measures to further protect patients.

All patients have been advised, by letter, of the unauthorized access of their medical data, with each being offered a year of credit monitoring services without charge. However, at the time of publishing, the hospital has been unable to contact 76 of the patients affected.

This breach shows that any healthcare organization can be affected by a HIPAA breach, even when there is a robust compliance program in place like the one at Riverside Health. It is important for healthcare institutions to complete a full risk assessment to identify possible weaknesses and while unauthorized access to patient records by external entities must be stopped, security controls should be implemented to limit unnecessary access to sensitive data by healthcare workers.

The Office for Civil Rights of the Department of Health and Human Services is issuing heavy financial penalties for organizations and their business associates for data breaches arising from willful neglect. Fines of $10,000 are issued for every violation with a maximum fine of $1.5 million per year. Security breaches such as the one the occurred at St. Joseph´s that have not been addressed for a number of years can prove to be an expensive mistake, although the company will have to wait until the OCR has finished its investigation to find out if a financial penalty is issued for this violation.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy