PHI Improperly Accessed via New England Healthcare Exchange Network

Codman Square Health Center in Dorchester, Mass has reported that an unauthorized individual gained access to the protected health information of certain patients. The data were improperly accessed via the New England Healthcare Exchange Network (NEHEN).

The PHI of 3,840 individuals was accessed, although the majority of those individuals were not patients of Conman Square Medical Center. Only 140 patients of the medical center were affected.

Codman Square Medical Center was notified of the breach on July 13, 2016 and the incident was reported to the HHS’ Office for Civil Rights on September 12. It is unclear when the data were accessed.

According to a Conman spokesperson, “Codman became aware that an unauthorized person employed by an outside vendor obtained access to the New England Healthcare Exchange Network by improperly utilizing a Codman employee’s access.”

The data accessed include the names of patients, along with their genders, dates of birth, medical insurance details, payer information, and in some cases, Social Security numbers.

In response to the security incident, Codman Square Medical Center has taken the decision to offer all affected patients credit monitoring and fraud resolution services for a period of 12 months without charge, although there is no indication that any data were accessed with malicious intent and no reports of fraudulent data use have been received.

The accessing of the data was a breach of Codman’s policies, and consequently the clinic took the decision to terminate all employees involved in the incident. The employees’ login credentials were also deactivated. Codman has now retrained all staff members on company policies regarding the accessing and use of patient health information to prevent future breaches of this nature from occurring. An internal investigation is ongoing.

More than 50 healthcare organizations are members of NEHEN, including a number of large healthcare providers and health plans. At this stage it is unclear how many other healthcare organizations have been affected by the incident. NEHEN is also investigating and will be conducting an audit of PHI access logs. A statement on the incident will be issued when the investigation has been completed or when further information on the incident comes to light.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.