The Department of State Hospitals (DSH) in California has learned a worker obtained access to the protected health information (PHI) of 1,415 present/former patients and 617 personnel without consent.
The employee had an Information Technology job and got access to data servers that contain sensitive patient and staff information so as to perform work assignments. DSH found out about the inappropriate access on February 25, 2021 while conducting a regular annual audit of access to data files.
DHS quickly started an investigation and learned that the worker was viewing data without permission for approximately 10 months. Files that contain names, COVID-19 test data, and other health information essential for tracking COVID-19 were stolen from the server. The privacy breach investigation is in progress and the staff took an administrative leave while waiting for the conclusion of the investigation. To date, the investigation has not discovered any information that indicates the improper use of the stolen information or its exposure to any other person.
DSH stated that there were safety measures in place to detect unauthorized PHI access, nevertheless because the actions of the worker seem to be legit access, the unauthorized access wasn’t recognized when it transpired and was merely uncovered at the time of the yearly audit.
It looks like the staff made use of the access given to do their usual job responsibilities to access the server, clone files comprising the names of current and past patients, and workforce, COVID-19 test data, and related medical data with no evident link to their job tasks, suggesting a high likelihood of unauthorized access, mentioned by DSH in its data breach Report. It is unclear at present whether this was a deliberate breach.
DHS has since taken action to avert the same problems later on, which include modifying guidelines and procedures, restricting access to servers that contain PHI, and bettering logging and evaluations of data activity. DHS also improved the auto-detection of files comprising PHI if being duplicated to nonstandard destinations.
Eyemart Express Notifies Patients Concerning Email Account Breach
Eyemart Express based in Farmers Branch, TX discovered that an unauthorized person got access to the email accounts of some employees and likely viewed or acquired patients’ PHI. The healthcare provider discovered the breach on December 11, 2020 and took steps promptly to block further unauthorized access.
It was confirmed by the investigators that the breach began on August 21, 2020. The breach only affected email accounts and not the internal systems. A thorough review of the impacted email accounts showed they comprised data like names, e-mail addresses, and the subject lines of messages sent by Eyemart Express to the affected clients. The breach affected just a small percent of patients, who have already been informed.