It has been discovered that the medical records of almost 2,000 patients was illegally accessed by a former employee at PeaceHealth, a not-for-profit Catholic health system based in Vancouver, WA.
The unauthorized access was identified by PeaceHealth on August 9, 2017, leading tyo an investigation. PeaceHealth found the inappropriate access started in November 2011 and went on until July 2017.
The inquiry revealed that Social Security numbers and financial information were not obtained by the employee, although patient names, medical record numbers, admission and discharge dates, medical diagnoses, and progress notes were all seen.
Due to the nature of information that was accessed, and the results of the internal inquiry, PeaceHealth does feel any patients impacted by the breach are in danger of identity theft. However, all impacted people have been warned to remain vigilant and review their credit reports and account statements for any sign of fraudulent activity.
Patients targeted by the HIPAA compliance breach had attended either the PeaceHealth St. Joseph Medical Center or its Southwest Medical Center between November 2011 and July 2017. All people affected by the incident have now been advised of the breach by mail.
PeaceHealth released a statement which read: “Patient privacy is among our highest priorities, and we take this [incident] very seriously.” The individual no longer works at PeaceHealth.
PeaceHealth already have a policy in place which invests in technology to prevent data breaches, follows industry best practices for monitoring and securing PHI, and provides training to staff on privacy and security. The incident has prompted PeaceHealth to refresh education of its staff with respect to appropriate accessing of PHI.
The incident report has now been submitted to the Department of Health and Human Services’ Office for Civil Rights. The privacy breach report shows the PHI of 1,969 patients was improperly obtained.