Breach Motivated by Marketing

Radiologist was using stolen data to recruit patients, hospital reports
Breach Motivated by Marketing
Connecticut Attorney General Richard Blumenthal has launched an investigation into an apparent breach by a radiologist who was taking information from one hospital where he formerly worked and using it to drum up business at another hospital.

Earlier this year, Blumenthal became the first attorney general in the nation to file a civil lawsuit for a violation of HIPAA privacy and security rules as permitted under the HITECH Act. For a story on that case, click here.

Patients notified

Griffin Hospital in Derby, Conn., notified 957 patients, as well as state and federal authorities, about the breach that occurred from Feb. 4 through March 5 after an investigation prompted by patient inquiries.

The radiologist involved formerly worked for an independent radiology group that provided services to Griffin Hospital. The radiologist was terminated from the group Feb. 3 and lost his authorization to access the hospital's picture archiving and communications system, which includes radiology images and related data.

The hospital's investigation determined that after he stopped practicing at the facility, the radiologist used the passwords of other physicians and employees to gain unauthorized access to the PACS directory listings of 957 patients who had radiology studies performed at the hospital. He then downloaded information on 339 of those patients.

Marketing campaign

Griffin Hospital received inquiries from patients regarding unsolicited contact from the radiologist, who offered to perform professional services at another area hospital, according to a statement from the hospital.

The radiologist made these inquiries after he accessed information from the PACS that included: patient name, exam date, exam description, gender, medical record number and date of birth. He did not, however, access patient financial information or Social Security numbers, the hospital noted. "As a result, it would appear that there is no further action patients need to take to protect them from future harm resulting from the breach," according to the hospital's statement.

"The PACS system allows authorized physician users to access radiology study images through a secured network from workstations in the hospital and from remote locations outside the hospital," the hospital noted.

"Steps are under way to further strengthen the security of patient information," according to the statement. A hospital spokesman declined to comment on how the radiologist obtained the passwords or on what new security steps the hospital will take.

Also, the hospital:

  • Hired an attorney to issue a "cease and desist demand" to the physician.
  • Changed all the passwords for PACS users whose passwords were used in the breach.
  • Advised all PACS users "of the need for strict password confidentiality."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.