Healthcare News & Insights

Data breach: Former hospital employee accessed 2,400 patient records

The latest hospital to experience an internal data breach is the University of Massachusetts Memorial Medical Center in Worcester. 

467965389Now the facility is contacting 2,400 patients to warn them that their personal information may have been compromised.

What happened

The hospital says a “now former” employee accessed 2,400 patient records, including social security numbers and dates of birth. Not only did this person access patients protected health information (PHI), but also may have opened credit cards or cell phones in patients’ names.

So far hospital officials believe this has happened to up to four people, but they are unaware of any misuse of medical information.

The employee worked at the hospital from May 2002 to March 2014. The hospital has not revealed what position that person held.

Identity theft?

In a news report from, John Moynihan, a data security expert with Minuteman Governance, said, “The Massachusetts Data Protection law calls for a fine of $5,000 per record accessed if the accesses were unauthorized. So, if you’re talking a 12-year period, where this employee had unfettered access to databases, you’re talking about the potential of hundreds of billions of dollars in fines.”

Moynihan reminded readers that information such as was accessed can be sold to third parties, which can lead to identity theft.

He also advised readers, “If you were a patient for the last 12 years, state and federal law allows you to have a free credit report per calendar year for all the major credit reporting agencies. You should definitely get a credit report if you were (a patient) during that period. I’m a patient there and I’m going to get one, that’s for sure.”

What hospitals can do

This hospital had a breach, but the facility and you can learn from it. The bottom line: Helping to prevent data breaches and medical identity theft is good for hospitals’ business.

Stopping fraud requires help from all facets, including providers, insurers, government agencies and patients themselves, according to a report from California Attorney General Kamala Harris (D) on curbing medical identity theft.

Here are some of the recommendations the report has for hospitals and other healthcare providers:

  1. Educate patients about medical identity theft — Many cases of fraud could be prevented or at least stopped earlier if patients paid closer attention to their records and statements to spot suspicious activity. In addition, many types of fraud occur because of patients’ own negligence — for example, letting someone else use their insurance card. Hospitals can help by teaching patients what they should look for and how they can protect themselves. Organizations should also make it simple for patients to get access to those documents.
  2. Vet and train staff members — Many privacy breaches are blamed on hospital staff, either because of intentional theft or negligence that leaves information vulnerable. That’s why it’s important to properly vet all new hires who will have access to patient information, and to train them on their responsibilities for keeping that data secure.
  3. Identify red flags — During patient interactions and when processing paperwork, hospital staff should be trained to identify red flags that could signal fraud. That includes information collected when a patient visits that doesn’t match what’s on file, tests being ordered that are inconsistent with the patient’s history, etc.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.