Wednesday 23 August 2017

Inappropriate Access to Patient Records Spanned 14 Years

Author: Marianne Kolbasuk McGee

State Hospital Discovered Breach After a Former Patient Complained

Inappropriate access to electronic patient records by a clerk for 14 years at a state-run psychiatric facility in Massachusetts shows just how difficult it can be to detect and prevent long-term breaches involving insiders.

"These are the hardest cases to detect if you are still trying to audit manually or with a tool that only looks for compliance violations," says Mac McMillan, president of the security consultancy CynergisTek. "This is the kind of incident that demonstrates the need for behavioral-based monitoring that is capable of sorting through so much more data to identify inappropriate activity."

Victim Count

In a notice posted Friday on its website, the Massachusetts Department of Health and Human Services, which operates Tewksbury Hospital, says a former hospital employee "without good reason" accessed the records of patients for more than a decade.

"Individuals who may be affected include people who were patients at Tewksbury Hospital from 2003 through May 2017," the statement says. Approximately 1,100 patients were impacted by the records snooping.

The health department says it's providing written notice to affected patients in addition to posting the notice on its website.

The 370-bed Tewksbury Hospital includes approximately 220 beds for "complex chronic" medical adult patients who reside in seven inpatient units, and 150 for psychiatric clients in five inpatient units. The hospital also accommodates offices for five state agencies.

Breach Discovery

The breach was discovered in April when a former patient expressed concern that someone may have accessed their electronic medical record inappropriately, the health department's notice says.

Read More . . . .