EHR snooping: 7,000+ Ohio health system patients potentially victimized
An Ohio-based health system began notifying patients this past week that a former employee may have inappropriately accessed their private records.
Aultman Health Foundation, which is headquartered in Canton, Ohio, said that the former employee could have snooped on patient data for more than a decade, according to the Daily Record.
“Upon discovering this, the employee’s access to Aultman’s electronic health record system was suspended, an investigation was conducted to determine the nature scope of the incident,” said company representatives.
WHY IT MATTERS
As reported by the Daily Record, about 7,300 patients across Aultman’s health system had their information involved in the incident.
Between September 14, 2009, April 26, 2021, the employee may have accessed patients’ names, addresses, birthdays, Social Security numbers, insurance information diagnosis treatment information, said Aultman.
The employee allegedly had access to patient data as part of their job coordinating patient care. The information they accessed was outside the scope of their duties.
Although they have not been identified will not be facing criminal charges, the health system did fire them.
Aultman said there is no indication patient data has been misused, but that it’s offering free credit monitoring identity-theft protection to those whose Social Security numbers may have been exposed.
THE LARGER TREND
Snooping may not be as headline-grabbing as other security risks, such as ransomware, but it still presents a very real concern for health systems.
In March 2020, a cybersecurity firm had warned that COVID-19 could present a heightened temptation for hospital workers to poke into patient records without proper justification to do so.
And earlier this year, Montefiore – a health system in New York – reported that an employee had inappropriately accessed patient information between June 2020 November 2020.
ON THE RECORD
“To help prevent something like this from happening again, Aultman has provided additional training to its system users is implementing additional measures to protect the information of its patients,” said Aultman in a statement.