Franciscan Health is notifying 2,200 patients that their sensitive data may have been compromised in a security incident involving a former employee.
Franciscan Health, a health system operating 14 hospitals in Indiana and Illinois, discovered a former employee was accessing the data of 2,200 patients without the appropriate authorization to do so during a routine privacy audit.
On May 24, 2019, Franciscan Health publicly confirmed that the security incident had occurred. Their announcement stated that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so.
Following an internal investigation into the incident, Franciscan Health terminated the employee. They have also referred the matter to the appropriate law enforcement. The investigators did not find evidence to suggest that the employee copied, transmitted, or disclosed any patient information.
According to the Health Insurance Portability and Accountability Act, employees of covered entities are only authorized to access health information if they have a relationship with the patient and require the data for treatment or payment purposes. The former employee was accessing the information on individuals with whom they had no relationship, and therefore was violating the Privacy Rule.
The employee accessed information that was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last four digits of social security numbers, and medical record numbers.
Some patients had further information compromised in the breach, such as physician name, diagnoses, lab test results, medications, other treatment information, driver’s license numbers, emergency contact information, and insurance claims information. A small subset of patients also had their Social Security numbers exposed in the breach.
Following HIPAA’s Breach Notification Rule, Franciscan Health is in the process of sending all affected patients breach notifications by mail. The mailing includes information on how they can sign up for identity theft protection services. Franciscan Health will cover the cost of those services for 2 years.
Franciscan Health also recommends affected individuals to ‘monitor their financial accounts, credit history, and Explanation of Benefits statements as extra precautions’.
It is yet unknown the actions that law enforcement will take against the former employee who accessed the information.
“We value patient privacy and deeply regret that this incident occurred,” Patrick Maloney, president and CEO of Franciscan Health Hammond, Dyer and Munster, said. “We are grateful that our robust auditing process identified this privacy incident, and we continue to look for ways to provide strong privacy protections to our patients.”