New York Hospital Breach Indicative of Larger Security Problems

SUNY Upstate University Hospital announced Nov. 9 that a former employee had inappropriately accessed more than 1,200 patient records between November 2016 and October 2017.

by James T. Mulder, Syracuse Media Group / November 13, 2018

(TNS) — The exposure of private medical information at SUNY Upstate University Hospital is part of a rapidly growing national problem.

So far this year 359 health information breaches at hospitals, health insurers and other organizations have been reported to the federal government.

Breaches involving 176.4 million health records occurred in the U.S. between 2010 and 2017, according to a recent study published in the Journal of the American Medical Association.

Upstate announced Friday an employee inappropriately accessed the medical records of 1,216 patients between Nov. 3, 2016 and Oct. 23, 2017 without having a legitimate reason to do so. The employee no longer works at the hospital. Upstate said it was contacting affected patients.

The hospital reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights, which investigates violations of the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that safeguards medical information.

Upstate could face federal fines ranging from $100 to $50,000 per violation if an investigation shows it was negligent. The Office for Civil Rights also brings criminal charges in some HIPAA cases.

Anthem, the nation's second-biggest health insurer, recently agreed to pay the federal government a record $16 million fine after the personal medical information of 79 million people was exposed in a cyberattack on the insurer's computer system.

Upstate said the former employee, who it did not identify, has not been charged with a crime.

Upstate said it does not believe any patient information was misused by the employee. Social Security numbers, insurance identification numbers, credit card information and other types of information often used by identity thieves were not compromised.

But the breached information included patient names, ages, diagnoses and services received.

Lee Barrett of the Electronic Healthcare Network Accreditation Commission, an independent nonprofit group, said patient data breaches are on the rise because a medical record is worth $500 to $800 on the black market.

The information in a medical record can be used to submit fraudulent insurance claims, obtain medical devices, get prescription drugs and blackmail people, Barrett said.

Barrett said breaches also are increasing because many organizations don't have the proper procedures, policies and controls in place to protect medical records.

Upstate did not say why the former employee accessed the records.

Barrett said disgruntled employees sometimes do this to get back at their employers.

He said Upstate patients affected by the breach should check their medical records to make sure they are accurate. Barrett also recommended they check their employer's records to make sure they don't include diagnoses they do not want disclosed.

Upstate said affected patients should be alert to suspicious activity that could result from the breach. Patients, for example, could be contacted by someone who has this information and attempts to obtain additional information that could be used for identity theft.

©2018 Syracuse Media Group, N.Y. Distributed by Tribune Content Agency, LLC.