This news story by Judy Benson was published a few weeks ago, but I wanted to mention it here because we’ve seen this type of access problem before:
…. In the Swanson case, records for Ruggiero-Swanson, her husband Brian and her 27-year-old son, also named Brian, were accessed by Brian Sr.’s estranged sister, according to documents obtained by The Day. Beverly Swanson of Waterford used privileges she had as an employee of the Neurological Group, a New London medical practice, to access Lawrence & Memorial Hospital‘s electronic medical records system, the documents state.
Swanson was able to tap into L&M’s system and access her relatives’ records, even though none of the three are patients of the Neurological Group, according to letters to Ruggiero-Swanson from L&M and the Neurological Group. Ruggiero-Swanson received the letters after requesting that both L&M and the Neurological Group perform records audits.
Now, more than two months after receiving confirmation that her family’s records had been inappropriately accessed, justice, as Ruggiero-Swanson sees it, is finally being carried out. Beverly Swanson was arrested Wednesday on charges of committing a computer crime. Due to the way the HIPAA law is written, she could not be charged with a violation of that law, but computer crime laws did apply.
Read more on The Day.
Too much access and no check to determine whether there is any valid reason to access a patient’s files is a recipe for a breach. While the employee has been charged with computer crimes, what, if anything, happens to the Neurological Group and L&M for their security inadequacies?