Upstate University Hospital in Syracuse, NY, has announced that over a thousand patients have been affected by a security breach involving a former employee of the facility.
The breach was discovered at Upstate University Hospital on September 12, 2018. An investigation was launched to determine the cause of the breach and assess the scope of the damage. The investigation revealed that the former employee first accessed patient health records without any legitimate work reason for doing so on November 3, 2016. Patient records continued to be accessed until October 23, 2017.
Employees accessing the protected health information (PHI) of individuals without any legitimate reason to do so is a violation fo the Health Insurance Portability and Accountability Act (HIPAA). Violation of HIPAA is of serious consequence, attracting hefty financial penalties and sometimes even criminal charges, depending on the nature of the incident.
The sensitive data of 1,216 patients were compromised by the former employee. The investigation did not uncover any evidence to suggest any information had been printed, copied, or forwarded outside the organisation. The breach was limited to names, ages, addresses, medical record numbers, dates of service, types of services received, diagnoses, treatment information, and details of prescriptions.
Highly sensitive information such as Social Security numbers, financial information, health insurance information and other information typically sought by identity thieves were not compromised and remained secure at all times.
No evidence was found that the information had been used for any malicious purposes. Those affected have been informed in accordance with HIPAA’s Breach Notification Rule. It is recommended that all those who had their data compromised should be vigilant for any suspicious activity on any of their accounts, in case they are victims of identity theft.
A spokesperson for Upstate has stated that the organisation cannot reveal the identity of the former employee, and that they are unclear the records were accessed. No information on the motives behind the privacy violations has been made public. It is possible that the employee was merely “snooping”, but due to the sheer number of accounts accessed, this seems unlikely.
In accordance with HIPAA guidelines, all staff members at the hospital with access to PHI already receive in-depth training on maintaining the privacy and security of patient information and are aware of their responsibilities with respect to HIPAA. In light of the breach, it is likely that employees will be reminded of HIPAA privacy requirements to ensure that a breach of this nature does not occur again.
The privacy breach has prompted Upstate University Hospital to conduct a review of their protocols and security measures. They have also committed to ensuring that the technical, physical, and administrative safeguards on PHI are strengthened and fully compliant with HIPAA’s Security Rule.