Asante Discovers 9 Years of Unauthorized Medical Record Access by a Physician
Asante, an Oregon-based health system with three hospitals and more than 30 primary care facilities, has started notifying certain patients that their medical records have been accessed by a local doctor who had no treatment relationship with the patients. The physician was not employed by Asante, but had access to Asante’s medical record system as he treated patients in Asante facilities.
An investigation was launched when the unauthorized access was detected which revealed the unauthorized access had been occurring over a period of 9 years, starting in 2014. The doctor – Dr. Paul Hoffman – has had his access to the electronic medical record system terminated. Asante is satisfied that the records were not accessed with any malicious intent and that the medical records were simply accessed out of curiosity and said there is no reason to suggest the affected patients are at risk of identity theft or fraud. The types of information accessed included names, demographic information, and treatment information. No financial information, driver’s license numbers, or Social Security numbers were viewed.
Asante said it has a system in place that monitors for unauthorized medical record access. Asante said it is now investigating how to improve the detection of unauthorized medical record access to ensure similar cases of unauthorized access are detected more quickly in the future.
The HHS’ Office for Civil Rights website indicates the physician accessed the medical records of 8,834 patients without authorization.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Patient Data Compromised in Hacking Incident at Northeast Surgical Group
Northeast Surgical Group in Macomb Township, MI, has recently notified 15,298 patients that some of their sensitive health information has been compromised in a recent hacking incident. Suspicious activity was detected within its network on January 8, 2023, and third-party cybersecurity consultants were engaged to conduct a forensic investigation.
Northeast Surgical Group explained in its notification letters that while the breach was detected in January, it took more than a month to determine the extent to which patient data was involved. The forensic investigation concluded on February 13, 2023, and confirmed that information such as names, addresses, and Social Security numbers had been compromised. Some patients also had their date of birth, medical information, and treatment information exposed. A review was conducted to assess the security of its network and additional monitoring tools have now been deployed.
Northeast Surgical Group said it had not found any evidence to suggest that any patient information has been or will be misused as a result of the breach but has provided affected individuals with complimentary credit monitoring services for 12 months. This appears to have been an attack by the BianLian threat group, which has uploaded some of the stolen data to its data leak site.
White Bird Clinic Says Email Error Resulted in a Disclosure of Patients’ PHI
White Bird Clinic in Oregon has recently notified 584 dental patients that some of their personal and protected health information has been impermissibly disclosed due to an email error. A report containing patient names, dates of birth, medical record numbers, and demographic information was accidentally sent to a patient. The patient confirmed that the attached file had not been opened or further disclosed and said the email and attachment had been deleted.
