North Ottawa Community Health System Discovers 3-Year Insider Breach

North Ottawa Community Health System (NOCH) has discovered an employee at North Ottawa Community Hospital in Grand Haven, MI, accessed the medical records of patients without authorization over a period of 3 years.

The matter was brought to the attention of the health system on October 15 by another employee. An investigation into the alleged inappropriate access was launched on October 17 and the employee was suspended pending the outcome of the investigation.

NOCH confirmed on November 25, 2019 that the employee had accessed the medical records of 4,013 patients without any legitimate work reason for doing so between May 2016 and October 2019. There appeared to be no discernible pattern to the unauthorized access. Patient records appeared to have been accessed at random.

No evidence was found to suggest that any patient information was stolen. NOCH believes the employee was accessing patient information out of curiosity.

The types of information potentially accessed included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance information, and some health information. Any patient whose Social Security number was viewable has been offered complimentary credit monitoring and identity theft protection services for 12 months.

Further training on NOCH policies covering medical record access have been provided to all staff members and employee access to patient records has been tightened.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. It is up to OCR to decide if any further action is taken against the employee over the HIPAA violation.

Cyberattack Forces Shutdown of Center for Health Care Services’ Computer Systems

The Center for Health Care Services (CHCS) in San Antonio, TX, experienced a cyberattack over the holiday period which forced it to shut down its computer systems.

CHCS provides healthcare services for individuals with mental health disorders, developmental disabilities, and substance abuse disorder and operates several walk-in clinics and outreach centers in San Antonio.

The CHCS IT team determined that a single server had been compromised after being alerted about the cyberattack by federal officials. The decision was taken to shut down its entire computer system as a precaution. The IT department has started restoring its computer systems and bringing them back online one by one, starting with the systems at its largest clinics. The process is expected to take several days.

The cyberattack was part of a larger attack that started before the holiday period. It is currently unclear how many other organizations have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.