PeaceHealth, a non-profit Catholic health system located in Vancouver, WA, discovered on August 9, 2017 the inappropriate access of one of its previous employees to the health records of about 2,000 patients with no valid work reason. After discovering the unauthorized access, PeaceHealth conducted an investigation and found out that the employee actually began the improper access way back in November 2011 up to July 2017.
The investigation established that no Social Security number or financial information was viewed by the employee. But he did access information such as the patients’ names, medical record numbers, medical diagnoses, admission and discharge dates and progress notes.
Considering the nature of information accessed by the ex-employee and the internal investigation results, PeaceHealth believes that the patients affected by the breach are not susceptible to identity theft. Nevertheless, all affected patients have been cautioned to stay watchful and evaluate their credit reports and statement of accounts for potential signs of fraudulent actions.
The patients whose protected health information was viewed may have visited PeaceHealth St. Joseph Medical Center or the Southwest Medical Center from November 2011 to July 2017. Breach notification letters had been sent email to all affected persons. According to PeaceHealth, patient privacy is very important to them and incidents such as this are taken very seriously. The medical center dismissed the violating employee.
PeaceHealth also spends on technology to avoid data breaches, observes industry guidelines for supervising and protecting PHI, and gives privacy and security training to employees. The breach has persuaded PeaceHealth that its staff must be re-educated regarding proper access of PHI. PeaceHealth has notified the Department of Health and Human Services’ Office for Civil Rights about the breach incident indicating that 1,969 patients had their PHI improperly accessed.