Hospital apologizes for data breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.chroniclejournal.com/content/news/local/2013/05/28/hospital-apologizes-data-breach

Thunder Bay Regional Health Sciences Centre has confirmed a privacy
breach involving diagnostic images, but are providing few details as
to who was involved.
Hospital CEO Andree Robichaud and chief of staff Dr. Gordon Porter
said Monday that the MRI scans of about 500 people were shared with a
physician outside the hospital who did not have hospital privileges.
“We take the privacy of our patients seriously and we deeply apologize
for what happened,” Porter said during a news conference.
“My job is to ensure the quality and safety of all patients that come
to this hospital, so I take this very seriously,” he said.
He said this is the first time in the hospital’s history that there
has been a privacy breach.
Robichaud said a physician who has privileges in the hospital had been
sharing MRI diagnostic images with an unauthorized physician outside
the hospital. The images were done between July 2012 and April this
year. The information included the patient’s name, date of birth, sex
and interpretation of the images.
“The privacy breach was discovered in early April and it took multiple
gymnastics from an IT perspective to be able to come up with a list
and determine to what extent and when it began,” Robichaud said.
“There is no information to suggest that personal information was
shared with anyone beyond this other individual.”
Porter said it is not unusual for physicians to share information for
the purpose of providing health care, but but there are regulations
that protect patient confidentiality.
Robichaud said the Office of the Information and Privacy Commission of
Ontario is investigating.
The names of the physicians were not divulged, but Porter said they
have spoken to the physician at the hospital. He could not say if
anyone would be fired over the incident.
Robichaud said the “appropriate actions have been taken.”
Porter said all hospitals have bylaws that govern professional staff
regarding quality and safety. These are dealt with through the medical
advisory committee.
“Each physician who has credentials to work here signs a
confidentiality agreement with our organization and with each
appointment process,” he said. “Every patient has the right to
confidentiality. We are extremely disappointed by this breach.”
He said no one will have to have their imaging repeated. Anyone
impacted will receive a letter in the coming days that includes
clinical information and contact numbers.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.