Adam D. Krauss reports:
Concern over Wentworth-Douglass Hospital’s handling of a broad privacy breach into patients’ records has widened with the Attorney General’s Office confirming it is reviewing what happened.
“It is something we’re looking into,” said James Boffetti, who leads the AG’s Consumer Protection & Antitrust Bureau.
Boffetti said he could not divulge specifics, but confirmed the bureau took over the case after a complaint was made to the agency’s Medicaid Fraud Unit.
He also said a relevant state law is RSA 359-C: 20, which requires notification of a security breach, something WDH representatives have acknowledged they did not do after learning of the breach, which lasted from May 2006 to June 2007. An audit wasn’t completed until May.
The hospital reviewed the law at hand but “determined that a report to the AG’s office or notification to the patients was not required by that law,” Noreen Biehl, vice president of community relations at WDH, said in a written response Thursday night. “That statute was not ignored; the hospital simply determined it did not apply to this situation.”
Read more on Fosters.com.
I am familiar with the details of this episode. It should be noted that besides the HIPAA violations involved, hundreds of pathology reports were altered in a variety of ways by the transcriptionist in an attempt to disrupt the dissemination and accuracy of these reports. Some of these alterations may constitute criminal tampering with the medical record. Depending on DOJ’s findings in their investigation of this breach, this may be one of the most significant cases of altering the EMR reported thus far. That it was accomplished by a transcriptionist with relatively little computer training on the software is certainly worrisome.
You raise a really scary point, TLM. And maybe as we listen to people present assurances about how EMR will be secured, we should raise this case as an example and ask what prevents one person or a few from totally destroying the accuracy of EMR that may be relied upon in life-threatening situations.
There are several issues to this particular case that are worth understanding. The transcriptionist’s unauthorized entry into the client side of the PowerPath software used in the lab, along with her data alteration on multiple cases in different fields in the system, went on for 13 months. This despite alarm bells being raised early on by lab personnel all the way to the top of hospital administration. A lab worker finally tracked down the culprit by following electronic changes made in the software, something the IT and Transcription departments were apparently unable to do. Typically, the hospital’s CEO sought to squelch any investigation into the breach.