Statement by Griffin Hospital about security breach
Griffin Hospital in Derby, Connecticut issued this statement today on its web site:
Griffin Hospital has notified 957 patients of an apparent breach of personal protected health information during the period from February 4, 2010 to March 5, 2010 after an investigation prompted by patient inquires revealed the breach.
Based on information available to it, Griffin Hospital has reason to believe that a radiologist previously, but not currently, affiliated with the hospital or on the Griffin Hospital Medical Staff accessed patient radiology reports on the hospital’s Digital Picture Archiving and Communication System (PACS) using the passwords of other radiologists and an employee within the Radiology Department. The passwords were obtained and/or used without their knowledge.
PACS is a computer-based, digital image archiving system that maintains encrypted data of patient’s radiological images that are accessible only through a user name and password entry system. The PACS system allows authorized physician users to access radiology study images through a secured network from workstations in the hospital and from remote locations outside the hospital.
From the investigation conducted by Griffin Hospital it appears the physician who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin Hospital during the period and selected and entered (downloaded) the image files of 339 of these patients.
On and after February 26, 2010, Griffin Hospital received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients’ interest in having those services provided at Griffin Hospital. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin Hospital’s PACS and, thereby, the breach of protected patient health information.
The physician was formerly a member of the Griffin Hospital medical staff who had been employed by the radiology group with which Griffin Hospital contracted for its radiology professional services. During that time the physician did have authorized access to the PACS. Thereafter, the physician’s employment with the radiology group was terminated on February 3, 2010. That resulted in the loss of his medical staff appointment at Griffin Hospital and his authorization to access PACS. At the same time as the physician’s PACS access was terminated his access password was revoked.
Prompted by the initial patient inquiries, Griffin Hospital launched an investigation that included an audit of information captured by PACS that revealed the repeated, unauthorized access from a single computer at a particular Internet Protocol (I.P.) address using the password of other physicians and employees. Every device connected to the public Internet is assigned a unique number known as an Internet Protocol address. Further analysis identified the individual/physician to whom the I.P. address was assigned.
The audit revealed the scope of the breach and that protected patient information had been accessed. Once the investigation reached this point, the hospital immediately engaged legal counsel who issued a cease and desist demand to the physician on March 5, 2010. All of the individual patients whose protected health information could have been accessed through the breach have been notified of the details of the breach by mail. Griffin Hospital has changed all of the passwords for PACS users whose passwords were identified as having been used without authorization. It has also advised all users of the need for strict password confidentiality.
The information accessed in the PACS directory scanned included: patient name, exam date, exam description, gender, age, medical record number and date of birth. The patient’s Social Security number and patient financial information are not information in the directory accessed. As a result, it would appear that there is no further action patients need to take to protect them from future harm resulting from the breach.
“Griffin Hospital has stringent policies, procedures and systems in place to protect patient information and takes very seriously our obligation to safeguard the personal and health information of our patients,” said Griffin President Patrick Charmel. “This breach, however, appears to have been a deliberate intrusion into Griffin’s Digital Picture Archiving and Communication System (PACS) to view patient radiology reports. We acted quickly to complete an audit and investigation and to notify affected patients. As a result of this breach, steps are underway to further strengthen the security of patient information. We regret that this incident has occurred, and are committed to prevent future such occurrences,” Charmel said.
Griffin is following all of the requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act which includes: notification of the U.S. Secretary of the Department of Health and Human Services, notification of patients that may have had their personal protected health information accessed in the breach, public disclosure to the local media through media notification, and posting information about the breach on Griffin’s website. Griffin officials have also notified the Office of Connecticut Attorney General Richard Blumenthal about the breach.
Griffin Hospital has trained staff available for patients to call with any questions related to the data breach. Patients are also asked to call Edward J. Berns, Vice President – Legal Affairs and Compliance Officer at 203-732-7506 (toll-free: 800-354-3094) if they have questions or concerns about any contacts or inquiries related to services received at Griffin Hospital. In addition, patients may visit Griffin Hospital’s web site at www.griffinhealth.org where information about the breach has been posted.