Mercy Health And Montefiore Medical Center have reported insider data breaches recently. In the two occurrences, an employee viewed patient information although there was no legit work -associated reason to do so.
Mercy Health Detects Unauthorized Access of PHI by Former Worker
Mercy Health in Cincinnati, OH began informing some patients concerning the access of their protected health information (PHI) by personnel for reasons apart from delivering patient care.
Mercy Health identified the insider breach on October 7, 2020. The investigation discovered the employee had viewed patient data on a number of instances when it wasn’t needed for giving care to patients. The reason behind the unauthorized access was not disclosed with the public.
Patients affected by the breach were instructed to keep track of their credit reports and billing/accounts transactions and to report any unauthorized transactions. As a preventative measure against identity theft and fraud, Mercy Health provided the impacted patients with free membership to IDX identity theft protection services for one year.
For most of the affected patients, the data accessed was restricted to name, address, demographic details, birth date, medical record number, clinical details, radiological photos and/or treatment data. The ex-employee also accessed the medical insurance ID numbers of a few patients.
Since that time, Mercy Health upgraded processes to avert identical incidents later on and the personnel were re-trained on compliance with the guidelines and procedures of Mercy Health.
When this was penned, the breach is not yet appearing on the HHS’ Office for Civil Rights breach site thus the number of impacted patients is still uncertain.
Montefiore Medical Center Ex-Employee Viewed Patient Information for Billing Fraud
Montefiore Medical Center located in New York City has uncovered that a past employee acquired access to patient data and used it for a billing scam. The employee accessed patient names, medical record numbers, and surgery schedules and utilized them to make invoices for untouched surgical items, in association with a vendor.
Montefiore Medical Center learned about the scam after it paid for the invoices and started an investigation that showed the unauthorized access of the ex-worker. Around 4,000 patients’ information was accessed with no authorization between January 2018 and July 2020.
The ex-employee didn’t view Social Security numbers, medical records, and financial data. The investigators found no proof that indicates that patients or their insurance agencies were conned. The fraud report was submitted to the police and the investigation is in progress.
Montefiore Medical Center stated the former worker died at the time of the investigation and the supplier has been barred from going into all Montefiore campuses.
Montefiore Medical Center took steps to avoid comparable occurrences later on. The paper documents involved in the fraud aren’t used any longer and the way of processing invoices for medical merchandise is being evaluated.
Criminal background verifications are now performed before an appointment and all staff get instruction on privacy policies and are advised that the medical center doesn’t tolerate employees who access health records except when there is a legitimate work-associated reason for doing this.