Three-Year Insider Breach Identified by North Ottawa Community Health System

North Ottawa Community Health System (NOCH) has identified that a staff member at North Ottawa Community Hospital in Grand Haven, MI, logged onto the medical records of patients without official permission over a period of three years.

The issue was made known to the health system on October 15 by another staff member. An investigation into the alleged inappropriate access was begun on October 17 and the employee was suspended while awaiting the outcome of the investigation.

NOCH confirmed on November 25, 2019 that the employee had logged onto the medical records of 4,013 patients without any genuine work reason for doing so between May 2016 and October 2019. There seemed to be no obvious pattern to the unauthorized access. Patient records may have been accessed at random.

No proof was located to suggest that any patient information was illegally taken. NOCH is of the opinion that the employee was accessing patient information out of curiosity.

The range of information that may have been seen included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance information, and some health information. Any patient whose Social Security number was viewable has been offered free credit monitoring and identity theft protection services for a one-year period

Additional training on NOCH policies covering medical record access have been made available to every staff member and employee access to patient records has been made more stringent.

The breach has been made known to the Department of Health and Human Services’ Office for Civil Rights. It is up to OCR to decide on the next steps and if any further action is taken against the employee over the HIPAA violation.

Hacking Campaign Forces Closure of Center for Health Care Services’ Computer Systems

The Center for Health Care Services (CHCS) in San Antonio, TX, suffered a hacking attack over the holiday period which forced it to shut down its computer systems.

CHCS provides healthcare services for people with mental health disorders, developmental disabilities, and substance abuse disorder and runs several walk-in clinics and outreach centers in San Antonio.

The CHCS IT team discovered that a single server had been compromised after being warned in relation to the cyberattack by federal officials. The decision was taken to close down its entire computer system as a precautionary measure. The IT department has begun restoring its computer systems and bringing them back online one by one, starting with the systems at its biggest clinics. The process is expected to take many days.

The cyberattack was a small part of a larger attack that started before the holiday period. It is currently unclear how many other organizations have been infiltrated.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes