Beacon Health System reports breach from employee snooping
An employee at Beacon Health System in South Bend, Ind., who for three years was accessing patient emergency department records without permission or a reason to view them, has been blamed for a breach of protected health information at the facility.
An audit by Beacon Health discovered the unwarranted access of patient information, which occurred from March 2014 to March 2017.
“While the employee may have had authorizations to view records in certain circumstances, the employee viewed patient records without a permissible reason,” the three-hospital delivery system noted in a press release to local media.
“The employee denied taking or misusing any information, and we have no evidence that any information was used to commit fraud or otherwise misused,” the statement continued, indicating that the employee is no longer employed at Beacon Health.
Compromised information includes patient names, Social Security numbers, ages, diagnoses, room numbers, acuity of illness, chief complaints and some financial and insurance coverage information.
Beacon Heath is reviewing training materials and putting in place new procedures to reduce the likelihood of a similar incident occurring again. Affected individuals are being offered one year of identity monitoring and identity restoration services from Experian, and they are being urged to monitor account statements and credit reports.
This is the second major breach of protected health information for Beacon Health System, which operates three hospitals, home care services and a medical group practice. A hacking incident in May 2015 affected 306,789 individuals.
Beacon Health declined to provide more information on the most recent incident, but sent the following statement about the incident:
“Beacon Health System’s Information Security and Privacy Team monitors employee access to records 24/7 and investigates potential issues for appropriateness on a daily basis. After an anomaly outside of Beacon’s routine monitoring was detected, upon further review, there was evidence that records other than those that were needed to complete this individual’s job duties were viewed. A third party forensic review validated that no information was electronically downloaded or transferred. Out of an abundance of caution, Beacon took the most conservative route to report the incident and notify those involved.”