Mercy Health, a midwestern healthcare organization that employs 44,000 employees and 2,100 physicians, confirmed last week that its cut ties with a former employee who accessed patient data without authorization.
The organization, which is based in and around St. Louis, Miss., is one of the largest Catholic healthcare systems in the country.
In a medical records incident note - essentially a data breach disclosure – it published on Friday, Mercy said it learned back in October that a former employee access medical record information that wasn't needed by the employee for patient care purposes. According to the note, the employee "on one or more prior occasions" accessed employee data like names, addresses, dates of birth, medical record numbers, treatment information, and clinical data, like radiological images.
In some scenarios, health insurance identification numbers were accessed; credit card data and financial information was not.
Like most data breach notifications, the notice leaves a lot to be desired. Mercy said when it noticed there was unauthorized data access but didn't clarify how it was able to learn that, when when the incident(s) may have occurred or exactly how many times the employee accessed patient data.
It’s also unclear what safeguards, if any, were in place around patient data at Mercy, like if there was a solution in place to prevent employees from accessing data not relevant to their position. It’s also not known how many patients may have had their data accessed.
The breach hasn't popped up on the U.S. Department of Health and Human Services' Office for Civil Rights Breach Portal yet, suggesting it either hasn’t surfaced on the site yet or may not have impacted more than 500 individuals. If a data breach affects 500 or more individuals, under HIPAA, covered entities must notify the HHS “without unreasonable delay and in no case later than 60 days.”
While Mercy said it has taken steps to remediate the issue – beyond terminating the employee - it didn't elucidate in depth on what those may be. It simply said the organization has made "additional enhancements to procedures to prevent a similar incident from happening in the future" and that it provided additional education to employees around compliance.
While the healthcare organization said it would pay victims for identity theft protection services - customary in instances of data breaches like this - it wouldn't be a surprise for those affected to find themselves victims further, of scams, phishing attacks, and requests for unexpected charges.
The news, while familiar, is yet another reminder of the importance of securing critical patient data.
Like many years of late, 2020 has had no shortage of healthcare data breaches. A ransomware attack hit Florida Orthopedic Institute to the tune of 640,000 patients. While the facility was able to eventually secure the system, it wasn't until after the data appeared to be exfiltrated. A phishing attack at BJC Healthcare, also in Missouri, in May exposed the data of 287,876 patients.
As HIPAA Journal noted earlier this year, 2020 has seen 15 settlements agreed between OCR and covered entities/business associates, that’s more than ever before - at least since the HIPAA Enforcement Rule granted the OCR the ability to issue financial penalties for noncompliance.
