Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach
Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years.
Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information.
Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date.
Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized individuals had viewed the information in the files.
The majority of patients impacted by the incident only had their name and a very limited amount of information exposed to unauthorized staff members. In such cases, the information that could have been accessed included admission dates and appointment scheduling information.
However, in some cases, Social Security numbers, dates of birth, addresses, telephone numbers, patient ID numbers, treatment information, medical diagnoses, and health insurance information could have been accessed.
Fairbanks hospital is in the process of informing patients of the potential privacy breach by mail and is providing them with further information on the steps that can be taken to protect against identity theft and fraud. Credit monitoring and identity theft protection services do not appear to have been offered.
Patients have been encouraged to “remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity.” They have also been told “this also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.” However, no reports of unauthorized use or misuse of the information have been reported to date.
The incident has been reported to appropriate state and federal bodies, including the Department of Health and Human Services’ Office for Civil Rights. It is unclear at this stage exactly how many patients have potentially been impacted.