2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization.

The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so.

The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information.

Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last four digits of social security numbers, and medical record numbers.

For certain patients, the following information may also have been accessed: Physician name, diagnoses, lab test results, medications, other treatment information, driver’s license numbers, emergency contact information, and insurance claims information. The records contained the full Social Security numbers of a small subset of patients.

All patients whose protected health information was compromised will be notified by mail and provided with information on how they can sign up for identity theft protection services.  Franciscan Health will cover the cost of those services for 2 years.

UPDATE: July 2019: The OCR data breach portal shows 2,180 individuals were impacted by the breach.

Medical Records Abandoned Outside Shuttered Chicago Medical Center

City crews have begun a clean up operation to remove boxes of medical records that have been abandoned outside a shuttered medical center in the Chatham area of Chicago, IL.

Boxes of medical records containing sensitive patient information had been dumped outside the former Medical Professional Home Healthcare center.

The Medical Professional Home Healthcare center was run by Carmen Dooley. In April 2017, the state health medical department license for Dooley and her business expired and was not renewed. The Illinois Department of Public Health visited the property and found it to be unoccupied with utilities cut off. The owner of the business could not be contacted and the agency was decertified by Medicare in 2017.

According to a recent report on CBS, the records had been stored in storage containers on the property. However, the containers were removed and their contents were dumped on site in 5-foot high piles. Some owners of local properties said the records had been there for months and some paperwork containing sensitive information had blown into their years. According to the report, Dooley had not authorized the removal of the storage containers and was unaware that the records had been abandoned.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.