Hospital Records Breach Leads RoundupUnityPoint Health Detects Inappropriate Access
In this week's breach roundup, UnityPoint Health in Iowa is notifying 1,800 patients that their electronic records were inappropriately accessed. Also, a former receptionist at a medical imaging school faces identity theft charges.
Electronic Records Inappropriately Accessed
UnityPoint Health, an integrated delivery system based in West Des Moines, Iowa, is notifying 1,800 hospital patients about a breach after an employee at a third party inappropriately accessed an electronic medical record system.
During an audit on Aug. 8, UnityPoint detected unusual access patterns to certain patient data, the delivery system notes in a news release. Upon review, UnityPoint learned that the employee, who was not authorized to access the records system, had done so by using the passwords of individuals who were authorized to access the system for medical purposes.
The unauthorized access to records occurred from February through August.
After learning about the incident, UnityPoint forced a password reset and reported the incident to law enforcement, the release said.
The third party is not being revealed because the investigation is still ongoing, according to a UnityPoint spokesperson.
Compromised information includes names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to patient treatment, according to the release.
For less than 10 percent of impacted patients, Social Security numbers and/or driver's license numbers may have been viewed. For four patients, the unauthorized user also viewed information about the patients' financially responsible party.
Affected patients are being offered free credit monitoring services.
Receptionist Charged in ID Theft Case
A receptionist who worked for six weeks at the Institute of Allied Medical Professions, a medical imaging school in Stamford, Conn., faces 17 charges of identity theft plus two other charges.
Bianca Torres of Bridgeport, Conn., allegedly stole personal information of students, according to the Stamford Advocate, a local news outlet. The compromised information included credit card numbers, which were allegedly used to purchase airline tickets and furniture and pay various bills, the news report said.
Torres allegedly had access to a database containing students' personal information, the report said.
Hospital Breach Involves Stolen Laptop
In yet another healthcare information breach involving a stolen unencrypted laptop, St. Mary's Janesville Hospital in Wisconsin is notifying 629 patients that a device containing information about them was taken from an employee's car.
Compromised information on the laptop included patient names; dates of birth; medical record and account numbers; providers and departments of service; bed and room numbers; dates and times of service; visit history; complaints; diagnoses; procedures; test results; vaccines and medications.
The hospital is offering affected patients free identity protection and monitoring services for one year. Plus, the hospital reports that it's working to encrypt all laptops.
The most common cause of breaches on the U.S. Department of Health and Human Services' tally of major breaches is the loss or theft of unencrypted devices.
UK Bank Employee Fined
The UK Information Commissioner's Office fined a former Barclays Bank employee Â£3,360 for illegally accessing the details of a customer's account.
The former employee, Jennifer Addo, found out the number of children the customer had and passed the information along to the customer's partner, according to a news release issued by the ICO. The customer's partner was a friend of the bank employee.
Addo was prosecuted under the Data Protection Act and fined Â£2,990 for 23 offenses, the ICO said. She was also ordered to pay a Â£120 victim surcharge and Â£250 prosecution costs.
The victimized customer contacted the bank when it appeared their information was passed to the partner. An investigation conducted by the bank found that Addo had illegally accessed the customer's details 22 times between May 10 and Aug. 8, 2011.
"Addo confirmed that she was aware that the complainant's details should not have been accessed, but still decided to look at the complainant's file and pass information to her friend," the ICO said.
"The banking industry has rigorous procedures and safeguards in place to make sure customers' details are kept secure," says Stephen Eckersley, head of enforcement at the ICO. "However, banks rely on the honesty and professionalism of their staff to ensure that the privileged access given to their records is not abused for personal gain."