Lee Hammel reports:
Personal pay stub information of some UMass Memorial Healthcare employees was subject to unauthorized access for five months.
The organization learned March 10 that at 10 kiosks where employees could view their pay stub information, and also at shared workstations, subsequent users were able to access the information of previous users, according to Rob Brogna, UMass Memorial spokesman. Upon confirming the problem, UMass Memorial removed the kiosks from use, he said.
The day after the breach was discovered, UMass Memorial applied a systemwide software change to disable the pertinent setting on the organization’s HRConnect application, he said. On March 16, the direct deposit bank account number was redacted from the information on HRConnect, and subsequently the 10 kiosks were returned to the campuses for employee use, Mr. Brogna said.
The personal information potentially exposed included name, bank name, bank transit number and bank account number. The breach did not involve employee Social Security numbers or medical record or patient information, he said.
Only UMass Memorial employees who accessed HRConnect using the kiosks or a shared workstation between Oct, 7 and March 11 are potentially affected by the breach, Mr. Brogna said. What portion of the 13,500 employees of the health care system was affected was not available last night.
Read more in the Telegram.
So what happened in October? Was there an upgrade that was problematic, or were the kiosks first introduced in October, or…?