It has been revealed that PeaceHealth Southwest Medical Center suffered a data breach after an employee “unnecessarily” accessed private medical information of almost 2,000 patients.
The affected data included names, ages, medical records, treatment dates, diagnoses, and progress notes. The employee responsible for the breach no longer works for the organization.
An investigation on August 9, 2017 found that the breach took place between November 2011 and July 2017. Patients’ Social Security numbers and financial information were not accessed.
Affected patients are not thought to be at risk of identity theft, but they have been advised to review their health insurance plans and report anything untoward without delay.
PeaceHealth has apologized and sent a letter to all affected patients informing them of the situation.
A statement from PeaceHealth said:
We sincerely apologize to patients for any concern or inconvenience this has caused. Patient privacy is among our highest priorities at PeaceHealth, and we take this very seriously.
PeaceHealth is reportedly investing in technology and following best practice to ensure patient information is properly protected.
The statement continued:
In addition, we are reinforcing education with our staff regarding the appropriate access of patient information.
Although this breach is an example of deliberate misuse of data rather than human error, it shows the importance of effective staff training to ensure that they know how to treat confidential information.
Educate your staff
Information security is critical within the business environment. Enroll your staff on our Information Security Staff Awareness E-learning Course so that they gain a better understanding of what is expected of them. The course advises staff on how to avoid becoming a security liability, introducing them to your internal policies on incident reporting and responses. Your staff are on the frontline, so give them the awareness training they need.
Protect your company
It is vital that organizations have the right security controls in place to prevent incidents like this. Lack of user access management could allow unauthorized staff to access highly sensitive customer information.