Virginia HIPAA Breach Exposed Patient Data for 4 Years

A new HIPAA security breach has been uncovered in Virginia involving 919 patients from the Riverside Health System which operates five hospitals in Southeast Virginia. The data breach did not involve tens of thousands of patients although the security breach is one of the longest recorded to date, with ePHI data being accessible since September 2009 until the security breach was discovered on November 1 last year.

The data was not accessed by outside entities as with other recent breaches, instead a single practice nurse employed at one of the hospitals accessed the records of nearly 1000 patients. The breach was uncovered in a random audit of the hospital’s IT systems.

The nurse in question allegedly accessed the records of 919 patients, which included Social Security numbers and medical histories, although the reason for accessing the data was not provided. The nurse has since had her employment contract terminated and there is no ongoing security risk.

Riverside Health System is currently taking all reasonable steps to contact patients and mitigate any damage or loss caused. An apology has been issued to all patients affected and the Riverside Health System is in the process of implementing a number of new security controls to further protect patients.

All patients have been contacted by letter to inform them of the inappropriate access of their medical data, with each being offered a year of credit monitoring services without charge. However, at the time of writing, the hospital has been unable to contact 76 of the patients affected.

This breach demonstrates that any healthcare organization can be hit by a HIPAA breach, even when there is a robust compliance program in place as was the case at Riverside Health. It is important for healthcare institutions to conduct a full risk assessment to identify potential vulnerabilities and while unauthorized access to patient records by external entities must be prevented, security controls should be implemented to limit unnecessary access to sensitive data by healthcare professionals.

The Office for Civil Rights of the Department of Health and Human Services is issuing heavy fines for organizations and their business associates for data breaches resulting from willful neglect. Fines of $10,000 are issued for every violation with a maximum fine of $1.5 million per year. Security breaches such as the incident at St. Joseph´s that have not been addressed for a number of years can prove very costly, although the company will have to wait until the OCR has completed its investigation to find out if a financial penalty is issued for this breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.