YAKIMA, Wash. — Virginia Mason Memorial hospital sent out letters last week to 419 of its past emergency room patients, alerting them of a privacy violation.
A routine internal audit revealed that from roughly October to January, 21 employees at the hospital had improperly accessed those patients’ records.
The day the violations were discovered in January, those employees’ access to patient records was revoked, said Trent Belliston, the hospital’s chief compliance and privacy officer.
Over the past few months, the hospital has been investigating the breach, and also contracted with an outside firm to do forensic analysis to determine whether patients’ data has shown up in the black market. None has so far.
While the records were deliberately accessed, at this point, Belliston said, they don’t believe there was any malicious intent behind the privacy violations.
“No evidence that the information’s being used in an improper way,” he said. “We believe this to be a case of snooping, or individuals who were bored.”
There also was no evidence that any particular patient’s records were targeted.
“It was a wide array of patients and information,” Belliston said.
Directors have spoken to all 21 employees involved and “taken the appropriate action,” hospital CEO Russ Myers said, though he said labor and confidentiality laws prevent him from identifying the employees or saying whether the employees were terminated or disciplined.
From the investigation, the hospital knows the employees viewed current patients’ medical information and demographic information, such as addresses. They did not access financial information, or past patients’ records.
“But there was at least the potential for Social Security (numbers) in some cases,” Belliston said. “We can’t, in the system, confirm that someone did look at it; just that it was available to them.”
For that reason, Memorial has purchased credit monitoring through Experian for each of the affected patients for the next two years.
The letter sent to patients explains the credit monitoring offer, and includes a phone number to call for more information.
Belliston and Myers emphasized that this was not an information security problem; the hospital was not hacked from the outside.
Rather, it’s a question of cracking down on employees who access the records of patients they are not personally responsible for, and making sure all employees are trained to carefully follow privacy rules to comply with the Health Insurance Portability and Accountability Act.
“There’s the potential for this to happen in a hospital at any point in time,” said Belliston, whose position was created last May.
There’s not a way to partition employee access to records so everything but their own patients is off-limits, he said.
“The best you can do is have proper education and training and proactive monitoring, which we’re doing. Audits going around the clock,” he said.
The incident has been used as a lesson for everyone who works at Memorial, reminding employees that violations will result in “some significant implications for them as employees at Memorial,” Myers said.
As for ongoing education, Belliston already sits down with each new hospital employee to go over privacy compliance.
He works to teach employees that “Similarly to how important the safety of the patient is from a physical standpoint, likewise, the security of their information is also of great importance to us, making sure their information is safe,” he said.
• Molly Rosbach can be reached at 509-577-7728 or firstname.lastname@example.org.