NH: Pathology lab doctors say WDH punishing them for reporting privacy breaches by rogue employee
Adam D. Krauss reports on a case of what seems to involve patient record tampering without any clear financial or other motivation. In a fairly detailed story, Krauss discusses some of both the privacy and data security issues:
Two doctors who run the pathology lab at Wentworth-Douglass Hospital say they’ll soon be out of a job because WDH President and CEO Gregory Walker is punishing them after they discovered “massive and systematic violations of patients’ privacy” by a rogue hospital employee.
Dr. Cheryl Moore and Dr. Glen Littell, who run the contracted and independent Piscataqua Pathology Associates, laid out their case in a recent letter to members of the WDH board of trustees, explaining how the hospital is ending a 28-year relationship with their practice three years after they first became suspicious of the employee breaching patient privacy.
The breach took place between May 21, 2006, and June 29, 2007, at the hands of a hospital employee who improperly altered 1,500 reports and accessed them 1,847 times, according to a copy of the letter obtained by Foster’s.
WDH spokeswoman Noreen Biehl confirmed the employee was terminated when an audit revealed the employee was behind the problem, and she stressed patient safety was not compromised.
Here’s the part of the story concerning the security aspects:
The doctors’ letter to trustees claims the ex-employee, who was not employed by Piscataqua Pathology Associates, infiltrated the reports on hospital time “utilizing passwords the Hospital failed to change.” Biehl said she did not know enough to explain whether that allegation meant the ex-employee retained access rights to the software used in the pathology lab beyond a point she was supposed to.
The letter does not detail the motivation of the ex-employee, and Biehl said she did not know what caused the worker to act.
The breach is just now coming to light because an audit launched to survey the damage was not completed until late May, the result of Walker allocating “so few resources to the investigation,” forcing a single hospital employee who works as a pathology lab aide to take on the task herself, the letter says.
More on the audit’s revelations:
Other audit findings include 63 unauthorized entries in the computer software to view 23 different autopsy cases, including once to change the date and time of a patient’s death. There were single instances of removing clinical history from a case, removing information related to imaging, changing tissue sample location sites and removing doctors’ dictation from a file. There were also more than 90 cases where the ex-employee prevented physicians from receiving patients’ pathology results directly through an automated fax system.
The audit says there were 862 unauthorized viewings, about half the total number of unauthorized instances, where it is nearly impossible to determine if there were changes.
Read more on Fosters.com.