Massachusetts EMR firm reports breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=12037

Here’s another case, not yet reported in the media, involving insider
wrongdoing and electronic medical records:

On Tuesday, Lawrence Melrose Medical Electronic Record, Inc. in
Melrose, Massachusetts notified the New Hampshire Attorney General’
office that an employee of a medical practice  improperly accessed the
EMRs and patient registration information of patients at six medical
practices in Melrose: Canan Avunduk, MD (Baystate Gastroenterology),
Maury Goldman, MD, Hallmark Health Medical Associates, John Mudrock,
MD, Main Street Family Practice, and Womens Healthcare Associates.

The firm, which does not appear to have its own web site, is listed as
a non-profit having its address as 585 Lebanon St., c/o Hallmark
Health, Melrose, MA 02176.

Their notification to the state, which was filed by their law firm,
did not include a copy of their notification letter to patients, so we
do not yet know the full scope of information the employee accessed or
why.  Apatient registration form on one of the practice’s sites,
however, suggests that name, contact details, date of birth, Social
Security numbers, employment information, insurance information, and
emergency contact information were all in the database.

Notification letters to two patients in New Hampshire were to be sent
on or about March 14. It is not clear how many patients, total, were
affected by this incident as the report identifies six medical
practices whose patients were affected.

In response to the breach, the firm says it is enhancing its privacy
and security controls, consulting with professionals about
implementing better access control monitoring, and re-training all
employees.  Affected patients are being offered credit protection and
restoration services through Kroll.

The letter does not indicate whether the employee has been referred to
law enforcement for criminal charges.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.