A former employee stands accused of inappropriately accessing over a thousand patient records without authorisation.
It’s believed more than 1,100 patients may have had their medical records viewed without reason for a 14-year period.
Authorities were alerted to the data breach when a former patient raised concerns that their medical records may have been accessed inappropriately online. An internal review found that a hospital employee had indeed accessed the records “without a good reason” to do so. From there, it was found that the same employee had accessed a huge number of former and current patient medical records without authorisation or grounds to do so.
Department of Health Investigation
The relevant Department of Health have been conducting an investigation over the multiple data breaches spanning from 2003 to May 2017. The unnamed employee obtained access to a range of personal and sensitive information, including:
- Names
- Addresses
- Phone numbers
- Dates of birth
- Gender
- Diagnoses
- Medical treatment
It’s also believed that, for some patients, Social Security Numbers may have also been compromised.
Why were the records accessed?
No information has been offered as to the employee’s intentions for accessing the patient records.
So far, there has also been no confirmation that the information has been copied and shared anywhere else.
Officials are aware that, with the wealth of information compromised, people could be at serious risk. With social security numbers, the employee could easily steal someone’s identity, or sell the information on to malicious organisations as well.
No evidence of information being misused
Officials do not believe the information has been misused. The culprit has reportedly been dismissed and no longer has access to patient records.
The hospital in question has taken action to implement further security measures to ensure patient records and personal information have greater protection from unauthorised internal and external access.
How has this happened for 14-years?
It’s simply shocking that this kind of data breach could be allowed to happen for 14-years. Tewksbury hospital may also be taking steps to review and implement security protocols to ensure across-the-board compliance, alongside with appropriate monitoring to ensure everyone follows data protection rules.
The Department of Health and Human Services has offered individuals some helpful advice if they suspect misuse of personal data:
- Notify authorities of the loss of personal data and request for an initial fraud alert to be placed on your bank account for 3 months
- Order a credit report and check it for any sighs of suspicious activity
- Request a security freeze (though this may impact the individual’s own access to their accounts).