Ah, I feel like I’ve been transported back in time, when it was always so hard to find a notification of a breach on an entity’s web site.
I went searching for information on a breach Lowell General Hospital in Massachusetts reported to HHS as affecting 769 patients. I was looking for media contact information, when I saw a tiny little message at the bottom of their home page (you have to scroll down and down to find it): “A Message to Our Patients Regarding Privacy Concerns.”
The link has no date on it, and clicking on the link takes you to an undated notice, which may be the explanation for the report to HHS:
Lowell General Hospital is committed to assuring the privacy of our patients’ health and personal information. Lowell General Hospital recently learned that an unauthorized employee accessed electronic patient medical records without medical reason to do so. As a result, the employee has been terminated and is no longer on staff at Lowell General Hospital.
Lowell General Hospital launched a comprehensive investigation as soon as we learned that an employee may have accessed patient records inappropriately. Based on this review, Lowell General Hospital believes that a single employee accessed and reviewed patient records inappropriately in direct violation of hospital policy and trainings. The information that was inappropriately accessed may have included name, date of birth, diagnoses, and other information about patient’s medical treatment. The individual did not have access to social security numbers, insurance policy numbers, or any other financial information. There is no evidence that any of the information has been used inappropriately.
We are taking immediate action to prevent such incidents in the future. We are in the process of reviewing the privacy and security of our electronic medical records system and making improvements to safeguards and monitoring activities. We will continuously provide education to all employees regarding the importance of patient privacy.
We sincerely apologize and regret that this situation has occurred. Lowell General Hospital is committed to providing quality care, including protecting our patients’ personal information, and we want to assure you that we have policies and procedures in place to protect your privacy.
If you were personally affected by this incident and we have your current address, you will be receiving a letter informing you that your personal and health information was inappropriately accessed. Please do not hesitate to contact us with any questions about this incident or if you need additional information on what you should do as a result of the incident, at 855-463-9544.
So for how long did this inappropriate access occur? And how did the hospital first discover it? The hospital did not immediately respond to an emailed inquiry seeking that information.