Our Lady of the Angels Hospital found out that an ex-employee accessed the health data of 1,140 patients with no authorization. The employee was given access to the protected health information (PHI) so as to perform work responsibilities; but, hospital personnel learned that the employee was accessing health records with no valid work reason.
The unauthorized access was found out on July 25, 2017, and the medical record system immediately terminated the employee’s access. The employee was dismissed from work as well. President and CEO of Our Lady of the Angels Hospital, Rene Ragas, said that the hospital prioritizes patient privacy and that employees who inappropriately access patient data will not be tolerated.
A comprehensive investigation was executed to determine the patients that had been impacted by the breach. It was discovered that the terminated employee had been accessing the health records of patients without authorization for over three years.
The Franciscan Missionaries of Our Lady Health System acquired the Bogalusa, LA hospital on March 17, 2014, which is the same date when the inappropriate access first began. A representative from the hospital affirmed to Becker’s Hospital Review that the unauthorized access was probably taking place for as much as 15 years, while the hospital was still under LSU Health management with the name LSU Bogalusa Medical Center.
The former employee was asked concerning the unauthorized access and it doesn’t seem that the patient medical records was shared with other people or was misused in any way. This seems to be another instance of a healthcare employee viewing patient records because of curiosity. Though there’s no suspected data theft or misuse, as a precautionary measure, all patients impacted by data breach were offered free one year of credit monitoring services.
The information viewed by the former employee consists of the patients’ names, phone numbers. addresses, birth dates, gender, insurance details, social security numbers, dates and places of services, diagnoses and clinical information including orders, medications, test results, and clinical abstracts.
All policies and procedures of Our Lady of the Angels Hospital will be reviewed and revision of its audit processes is to be expected to prevent and identify quickly future privacy breaches of similar nature. Employees will also undergo additional training concerning PHI privacy and security.