Breach Motivated by MarketingRadiologist was using stolen data to recruit patients, hospital reports
Earlier this year, Blumenthal became the first attorney general in the nation to file a civil lawsuit for a violation of HIPAA privacy and security rules as permitted under the HITECH Act. For a story on that case, click here.
Griffin Hospital in Derby, Conn., notified 957 patients, as well as state and federal authorities, about the breach that occurred from Feb. 4 through March 5 after an investigation prompted by patient inquiries.
The radiologist involved formerly worked for an independent radiology group that provided services to Griffin Hospital. The radiologist was terminated from the group Feb. 3 and lost his authorization to access the hospital's picture archiving and communications system, which includes radiology images and related data.
The hospital's investigation determined that after he stopped practicing at the facility, the radiologist used the passwords of other physicians and employees to gain unauthorized access to the PACS directory listings of 957 patients who had radiology studies performed at the hospital. He then downloaded information on 339 of those patients.
Griffin Hospital received inquiries from patients regarding unsolicited contact from the radiologist, who offered to perform professional services at another area hospital, according to a statement from the hospital.
The radiologist made these inquiries after he accessed information from the PACS that included: patient name, exam date, exam description, gender, medical record number and date of birth. He did not, however, access patient financial information or Social Security numbers, the hospital noted. "As a result, it would appear that there is no further action patients need to take to protect them from future harm resulting from the breach," according to the hospital's statement.
"The PACS system allows authorized physician users to access radiology study images through a secured network from workstations in the hospital and from remote locations outside the hospital," the hospital noted.
"Steps are under way to further strengthen the security of patient information," according to the statement. A hospital spokesman declined to comment on how the radiologist obtained the passwords or on what new security steps the hospital will take.
Also, the hospital:
- Hired an attorney to issue a "cease and desist demand" to the physician.
- Changed all the passwords for PACS users whose passwords were used in the breach.
- Advised all PACS users "of the need for strict password confidentiality."