Sutter Health California Pacific Medical Center audit uncovers data breach

You rest your coffee on your desk in the morning. You’re trying to shake off the morning commute to the office and desperately wait for feeling to return to your extremities from the cold weather. Your laptop springs to life with a happy chime that causes you to grimace in pain as the caffeine has yet to find the target. Then you see that email waiting for you with “breach” in the subject line.

This is what was discovered in the course of a recent audit by the folks at California Pacific Medical Center. It turns out that over the last couple of years that an employee with CPMC had accessed the medical records of 844 people without any valid reason to do so. That is a troubling number. The breach came to light in October 2014. The employee in question was terminated and the investigation kicked into high gear.

The staffer had access to all manner of data and it appears that this was done out of curiosity as opposed to malicious reasons.

From CPMC:

The type of information varied for each patient. While the employee potentially viewed the last four digits of some social security numbers, the employee did not have access to full Social Security numbers, driver’s license numbers, California identification numbers, credit card numbers or financial account information.

What is it that drives this sort of behavior in some medical personnel? This is by no means the norm (I sincerely hope) but, there have been enough stories in the media recently to cause me to wonder. What is it that causes this to keep happening?

Just today I read that a second hospital has come forward to disclose that staff had inappropriate access to the medical records of the former mayor of Toronto, Rob Ford. This happened at Humber River Hospital and the staff in this case are facing disciplinary action as a result. The first instance was at Mount Sinai Hospital.

From The Toronto Star:

Gerard Power, director of public and corporate communications for the Toronto hospital, said in an emailed statement to the Star Wednesday night that “an investigation had shown that inappropriate access of his medical record was obtained by certain individuals”.

Is it a morbid sense of curiosity that people access these records? Are they intending to sell the information in these files to media? Or is this just simple curiosity that drives them? In the case of the CPMC incident it seems that the staffer was merely curious but, this does not excuse a privacy breach. The company did not indicate if they are going to provide any sort of credit monitoring services for the 844 affected individuals or not.

Stories like this cause me to wonder if hospitals are doing enough to protect patient privacy.

Curiosity may have killed the cat but, in this case the cat lost their job.

(Image is a screen shot of the CPMC website)


Copyright © 2015 IDG Communications, Inc.

21 best free security tools to make your job easier