Ephrata Community Hospital notifies patients of data breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://healthitsecurity.com/2013/06/19/ephrata-community-hospital-notifies-patients-of-data-breach/

Ephrata Community Hospital of Pennsylvania recently posted on its
website that one of its employees had inappropriately accessed patient
data. It learned on April 16 that they had viewed some patients’
electronic medical records and may have accessed clinical information
as well.

Details such as how long the access occurred, how the employee was
caught and the number of patients involved were not part of the
statement:

Ephrata Community Hospital takes our obligation to protect our
patients’ personal health information seriously. Regrettably, this
notice concerns some of that information.

On April 16, 2013, we learned that one of our employees had accessed
patient medical records prior to that date. Viewing these medical
records was outside the employee’s job duties. We immediately began an
investigation and confirmed that the employee viewed some patients’
electronic medical records and may have accessed clinical information.
The employee did not access any Social Security numbers or other
financial information, and Ephrata terminated the employee.

We have no reason to believe that the information was used in any way,
but as a precaution, we began sending letter to affected patients on
June 14, 2013. We have also established a dedicated call center for
patients to call with any questions. If you believe you are affected
but have not received a letter by July 1, 2013, please call
1-888-414-8021, Monday through Friday between 9:00 a.m. and 7:00 p.m.
Eastern Time. When prompted, please enter the following 10-digit
reference code: 8934061413.

We regret any inconvenience this may cause our patients. To help
prevent something like this from happening in the future, we are
reinforcing education with all staff regarding the importance of
maintaining the confidentiality of our patients’ information and
appropriate care-related access to patient records.

As usual, it’s great that they’re going to re-educate staff on patient
privacy procedures. But they’re going to have to explain how that
education process will work if they’re going to work toward regaining
patient trust.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.