University Healtcare notifies patients of personal information breach
WVU Medicine University Healthcare recently notified over 7,000 patients of a breach of unsecured personal patient protected health information after discovering that an employee had accessed patient information without authorization.
On Jan. 17, University Healthcare officials became aware of an FBI and local law enforcement investigation into the unauthorized access, use and disclosure of personal information contained on the electronic systems of University Healthcare by an employee of Berkeley Medical Center in Martinsburg.
As soon as University Healthcare was notified of the potential breach, an extensive internal investigation began. Through this investigation, a connection between the employee and 113 former patients was confirmed.
The employee was suspended and then terminated as a result of her illegal conduct.
University Healthcare’s internal investigation as well as the investigation by law enforcement confirmed that this unauthorized access began no earlier than Mar. 1, 2016 and is presumed to have continued until the former employee was suspended. In working with law enforcement, University Healthcare also learned that she inappropriately removed the patient information by handwriting it onto paper and carrying it off the premises.
While the criminal investigation is still ongoing, authorities have confirmed that 113 of the 7,445 individuals are victims of identity theft.
All 113 confirmed victims were contacted immediately by law enforcement. The former employee is being criminally prosecuted.
Police found copies of drivers’ licenses with photos, ID cards, insurance cards and/or Social Security cards in the former employee’s possession. University Healthcare has since tracked her computer system access and determined that in some instances she also viewed physician orders containing diagnoses and other medical information.
University Healthcare has safeguards in place to ensure the privacy and security of all patient health information. Because the former employee had access to this information as part of her employment as an authorization/prescheduling coordinator, her criminal conduct could not be detected as part of University Healthcare’s routine IT/privacy security checks. The former employee completed annual mandatory education on privacy/protected health information and signed a confidentiality agreement. A background check was also completed prior to her joining the organization.
University Healthcare is working with local law enforcement and security experts to notify impacted patients of the breach. Kroll, a global leader in risk solutions, has been hired by University Healthcare to provide identity monitoring at no cost to all 7,445 individuals for one year.
University Healthcare is also encouraging these patients to contact their financial institutions to prevent unauthorized access to personal accounts.
Kroll has established a call center for patients who have questions related to the data breach. Individuals may call 855-656-6592, Monday through Friday, 9 a.m. to 6 p.m. (Eastern Standard Time) or visit Kroll’s website at www.kroll.com for further information.
“University Healthcare understands the importance of safeguarding our patients’ personal information and takes that responsibility very seriously,” stated Anthony P. Zelenka, president and CEO.
“We regret that this incident has occurred. We are committed to work with our patients whose personal information has or may have been compromised, and help them work through the process.”