Samaritan Hospital confirms patient records security breach in 2011

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://saratogian.com/articles/2013/03/01/news/doc513105ba6f4ba045285003.txt

TROY — An official at Samaritan Hospital confirmed a nursing
supervisor at the Rensselaer County jail improperly accessed the
hospital’s patient records, triggering an investigation by Sheriff
Jack Mahar.

Elmer Streeter, director of communications at St. Peter’s Health
Partners, the corporate parent of Samaritan, said the hospital was
notified of the breach in November 2011.

“We received an inquiry that suggested that protected health
information contained in electronic medical records that related to a
patient at Samaritan Hospital may have been improperly accessed by a
supervisory nursing staff member employed at the Rensselaer County
Jail,” he said.

Samaritan officials conducted an internal investigation after
receiving the notification.

“We determined that there had been improper access on a particular
account,” Streeter said.

The hospital notified the sheriff about the breach and disabled the
access of the individual whom they believed improperly accessing the
information.

Streeter said the hospital’s next step would have been to follow
federal guidelines and notify patients whose records were improperly
accessed. But a sheriff’s investigation into the matter prevented them
from doing so.

“The sheriff asked the hospital not to notify these persons,” Streeter said.

“We’re required to do that by federal regulations; if a law
enforcement agency asks to delay notification so as not to impede an
investigation of a potentially criminal nature, we have to comply.”

At this point, some 14 months later, the sheriff’s office has
authorized Samaritan Hospital to notify the patients. Streeter said
letters were being sent this week.

Asked the identity of the employee who committed the breach and why,
Yvonne Keefe, a spokeswoman for Mahar, said: “The sheriff's office is
investigating a complaint filed by Samaritan Hospital regarding
medical records. This office has no comment on internal investigations
or personnel matters.”

Because Samaritan Hospital provides treatment for inmates, the jail’s
nursing staff has access to Samaritan’s electronic medical records for
the purposes of coordinating care.

Streeter said persons granted access sign an agreement stating they
would only access records for patients to whom they are providing
care.

“The issue here is that some individuals used poor judgment and did
not follow applicable privacy laws and standards of ethical conduct,”
Streeter said.

It was unclear what penalties apply to breaches of the Health
Insurance Portability and Accountability Act regulations.

According to the Office for Civil Rights, charged with enforcing HIPPA
regulations nationwide, a breach is defined as “an impermissible use
or disclosure that compromises the security or privacy of the
protected health information such that the use or disclosure poses a
significant risk of financial, reputational or other harm to the
affected individual.”

After a notification of a breach is received by the Office of Civil
Rights, the complaint is reviewed internally. Depending on a number of
factors, the breach complaint can be referred to the U.S. Department
of Justice for a criminal investigation.

Streeter said Samaritan did not notify the Office of Civil Rights of
the breach, citing advice from their legal department.

Penalties could range from formal findings of fact to criminal prosecution.

Charles Sweeney may also be reached at 270-1252.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.