In February 2017, West Virginia University Healthcare notified more than 7,000 patients about a breach of their personal patient protected health information. Starting in March 2016, a Berkeley Medical Center employee began accessing patient information without authorization. She then used that information to steal some of the patients’ identities. The employee’s name has yet to be released.
The University released a statement on its website on Feb. 24, 2017.
University officials became aware of the situation in mid-January when they were contacted by the FBI and local law enforcement about an investigation; they immediately launched their own investigation and soon found a “connection between the employee and 113 former patients.”
Those confirmed victims have been contacted by law enforcement. In total, 7,445 breach notification letters were sent to patients informing them of unauthorized ePHI access.
The unauthorized access started in March 2016 and continued until the employee was suspended.
According to this story in Herald Mail-Media, the employee’s “job was to schedule patients at both Berkeley Medical Center and Jefferson Medical Center in Ranson, W.Va., for outpatient procedures and pre-surgical testing.”
The employee removed the patient information by writing it down by hand onto paper and carrying it off the premises.
The employee has since been terminated and is being criminally prosecuted.
According to the statement:
“Police found copies of drivers’ licenses with photos, ID cards, insurance cards and/or Social Security cards in the former employee’s possession. University Healthcare has since tracked her computer system access and determined that in some instances she also viewed physician orders containing diagnoses and other medical information.”
Berkeley Medical Center is located in Martinsburg, West Virginia.
According to a story about the incident posted on HIPAA Journal, “Inappropriate accessing of patients’ medical records by healthcare employees occurs frequently, although this incident stands out due to the number of patients potentially impacted and how long it took for the HIPAA violation to be discovered – almost 10 months.”
The HIPAA Security Rule requires healthcare organizations to maintain ePHI access logs and look at those logs at regular intervals to make sure there’s no inappropriate access.
“When healthcare employees are found to have accessed information without a legitimate work reason for doing so, it sends a message to other employees that their actions are being carefully monitored,” according to the HIPAA Journal story. “This helps to establish a culture of responsibility and accountability. Prompt identification of inappropriate ePHI access will also ensure that patients can be notified in time to prevent their stolen information from being used to steal identities and commit medical fraud.”
Are you covered for identity theft?
Image: Unsplash