Upstate University Hospital in Syracuse, NY, has informed 1,216 of its patients that a former hospital worker has impermissibly accessed some of their protected health information (PHI). The hospital discovered the breach on September 12, 2018.
An investigation was launched into the security breach which revealed the former hospital employee began accessing patients’ medical records without a valid work reason for doing so on November 3, 2016. The employee continued to access patients’ medical records up until October 23, 2017.
The investigators didn’t uncover any evidence that suggests the former employee printed out, copied, or transmitted any patient data outside the organization. It is unclear why the employee accessed patients medical records. No details of the employee’s motives have been disclosed.
According to Upstate University Hospital, highly sensitive information such as financial information, Social Security numbers, and medical insurance details remained secure and the types of information that were accessed are not those required by identity thieves. The breached data was limited to patients’ names, ages, contact information, medical record numbers, types of services received, service appointments, diagnoses, treatment information, and prescribed drugs.
Hospital staff with PHI access had been provided with comprehensive training related to the protection of the confidentiality and integrity of patient information. Following the breach, staff members have been reminded of their responsibilities with regards to HIPAA and Upstate University Hospital has now reviewed and strengthened its security controls for keeping patient data private and confidential.