The health data records of 769 patients at the Lowell General Hospital in Massachusetts were accessed by an unauthorized hospital employee. Because he accessed the records of patients, he violated hospital policies and the privacy of patients. When the management discovered the breach and confirmed it with their investigation, the employee was terminated from work. Thankfully, the breach involved only one person and it was not a serious problem.
The hospital has already notified the patients impacted by the data breach. The patients had been informed that information such as names, birth dates, medical diagnoses and treatment information were accessed by the former employee. The employee did not access any financial information, Social Security numbers or health insurance details. As such, there’s no evidence that the accessed information had been misused. People who want to know more information about the breach can visit the hospital website to read the breach notice
Staff and employees of Lowell General Hospital generally undergo training and receive instruction regarding hospital policies. They know that access of medical records without a legitimate reason is not allowed. Because of the breach incident, the hospital conducted a review of its privacy and security policies to ensure that employees abide by the rules and snooping is identified immediately.
There is a question as to the length of time the employee was able to access the medical records before being caught. It must have been going on for several months because of the huge number of employees impacted.
HIPAA Rules require covered entities and business associates to monitor PHI access logs for unauthorized access regularly. There’s no strict meaning attached to “regularly,” but it is best to have ongoing audits of the access logs to identify suspicious activity immediately.
Audits may be done manually but it is less burdensome with the implementation of automated solutions. There are tools that work based on rules or behavior. Rule-based tools require the setting of rules, which when violated will trigger alerts. Behavior-based tools study normal system access and will only trigger alerts when anomalies occur. Adopting automated solutions can better pinpoint suspicious activity and catch employees snooping on medical records.