The discovery has been made that the medical records of 769 patients of Lowell General Hospital in Massachusetts have been accessed by an employee without any valid work reason.
In accessing the medical details, the employee violated hospital policies and breached the privacy of patients.After finding the breach, and completion of the subsequent investigation, the employee was let go from their position. Lowell General Hospital was happy that only one person was involved, and that this was not a group-wide problem at the hospital.
Patients affected by the security incident have been alerted and a breach notice has been placed on the hospital website. Patients have been told that the types of information seen by the former member of staff included names, dates of birth, medical diagnoses, and information relating to treatments provided to people.
No financial data, health insurance details, or Social Security numbers were seen by the employee, and the investigation found no evidence to suggest that any of the data that was seen has been misused.
Lowell General Hospital supplies training to all staff, and clearly advises employees that the accessing of medical records without a legitimate reason is strictly forbidden. While checks are carried out to ensure that employees are abiding by hospital policies, the incident has lead to Lowell General Hospital conducting a review of its privacy and security policies relating to its medical records. Improvements will be completed to ensure that any future instances of snooping are identified quickly. The hospital will go on providing ongoing training to employees on patient privacy.
What it is not clear how long the employee was able to improperly access medical records before the privacy violations were found. The number of patients affected by the incident suggests the improper access had been going on for several months.
HIPAA required covered bodies and their business associates to constantly monitor PHI access logs for unauthorized access. While “regularly” is open to some interpretation, it is a good best practice to complete ongoing audits of access logs to help find unauthorized activity.
These audits can be completed manually, although tools are available to minimize the administrative burden. Those available tools are either rule-based or behavior-based. The former needs rules to be set which will trigger alerts if they are breached, while behavior based systems learn about normal access and trigger warnings if any anomalies are found. These automated solutions can help to find improper activity much more quickly, allowing rapid measures to be adapted when employees look at medical histories.