Share this article on:
Mercy Medical Center North Iowa has discovered a former employee potentially accessed the medical records of patients without authorization over a period of 12 months.
An internal investigation suggested a former employee had inappropriately accessed patient information between July 2017 and July 2018. The employee had been given access to patient information to complete work duties, but Mercy Medical Center North Iowa was unable to confirm whether all records had been accessed for appropriate job-related purposes.
The types of information the former employee accessed was limited to names, addresses, birth dates, medications, and insurance information.
Breach notification letters were mailed to affected patients on November 26, 2018 and all individuals whose personal information was exposed have been offered 12 months of complimentary identity theft protection services.
The discovery of the unauthorized access has prompted Mercy Medical Center North Iowa to review its privacy practices and further training will be provided to employees to reinforce past training on hospital and HIPAA Rules related to patient privacy.
Mercy Medical Center North Iowa issued the following statement about the breach. “Mercy-North Iowa takes very seriously the responsibility to safeguard the protected health information of patients and apologizes for any concern or inconvenience this situation may cause.”
The privacy violation has been reported to law enforcement and the HHS’ Office for Civil Rights. The Globe Gazette has reported that approximately 1,900 current and former patients have been notified about the breach.
3,930 Patients of Arthritis & Osteoporosis Consultants of the Carolinas Notified About PHI Breach
3,930 patients of Charlotte, NC-based Arthritis & Osteoporosis Consultants of the Carolinas (AOCC) have been notified that some of their protected health information has been exposed.
A report containing patients’ personal and medical information was discovered to be missing on September 10, 2018. AOCC believes the report was accidentally discarded in the trash without first being shredded.
AOCC does not believe the report has been viewed by anyone other than authorized AOCC staff and no reports have been received to suggest patient information has been misused.
The following information was listed in the report: Names, birth dates, payer-issued ID numbers, insurance information, names of treating physicians, and for certain patients, the name of an infusion drug that had been administered.