BreachExchange mailing list archives
Samaritan Hospital confirms patient records security breach in 2011
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Mon, 4 Mar 2013 10:37:28 -0600
http://saratogian.com/articles/2013/03/01/news/doc513105ba6f4ba045285003.txt TROY — An official at Samaritan Hospital confirmed a nursing supervisor at the Rensselaer County jail improperly accessed the hospital’s patient records, triggering an investigation by Sheriff Jack Mahar. Elmer Streeter, director of communications at St. Peter’s Health Partners, the corporate parent of Samaritan, said the hospital was notified of the breach in November 2011. “We received an inquiry that suggested that protected health information contained in electronic medical records that related to a patient at Samaritan Hospital may have been improperly accessed by a supervisory nursing staff member employed at the Rensselaer County Jail,” he said. Samaritan officials conducted an internal investigation after receiving the notification. “We determined that there had been improper access on a particular account,” Streeter said. The hospital notified the sheriff about the breach and disabled the access of the individual whom they believed improperly accessing the information. Streeter said the hospital’s next step would have been to follow federal guidelines and notify patients whose records were improperly accessed. But a sheriff’s investigation into the matter prevented them from doing so. “The sheriff asked the hospital not to notify these persons,” Streeter said. “We’re required to do that by federal regulations; if a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply.” At this point, some 14 months later, the sheriff’s office has authorized Samaritan Hospital to notify the patients. Streeter said letters were being sent this week. Asked the identity of the employee who committed the breach and why, Yvonne Keefe, a spokeswoman for Mahar, said: “The sheriff's office is investigating a complaint filed by Samaritan Hospital regarding medical records. This office has no comment on internal investigations or personnel matters.” Because Samaritan Hospital provides treatment for inmates, the jail’s nursing staff has access to Samaritan’s electronic medical records for the purposes of coordinating care. Streeter said persons granted access sign an agreement stating they would only access records for patients to whom they are providing care. “The issue here is that some individuals used poor judgment and did not follow applicable privacy laws and standards of ethical conduct,” Streeter said. It was unclear what penalties apply to breaches of the Health Insurance Portability and Accountability Act regulations. According to the Office for Civil Rights, charged with enforcing HIPPA regulations nationwide, a breach is defined as “an impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational or other harm to the affected individual.” After a notification of a breach is received by the Office of Civil Rights, the complaint is reviewed internally. Depending on a number of factors, the breach complaint can be referred to the U.S. Department of Justice for a criminal investigation. Streeter said Samaritan did not notify the Office of Civil Rights of the breach, citing advice from their legal department. Penalties could range from formal findings of fact to criminal prosecution. Charles Sweeney may also be reached at 270-1252. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Samaritan Hospital confirms patient records security breach in 2011 Erica Absetz (Mar 04)