Massachusetts EMR firm reports breach

Here’s another case, not yet reported in the media, involving insider wrongdoing and electronic medical records:

On Tuesday, Lawrence Melrose Medical Electronic Record, Inc. in Melrose, Massachusetts notified the New Hampshire Attorney General’ office that an employee of a medical practice  improperly accessed the EMRs and patient registration information of patients at six medical practices in Melrose: Canan Avunduk, MD (Baystate Gastroenterology), Maury Goldman, MD, Hallmark Health Medical Associates, John Mudrock, MD, Main Street Family Practice, and Womens Healthcare Associates.

The firm, which does not appear to have its own web site, is listed as a non-profit having its address as 585 Lebanon St., c/o Hallmark Health, Melrose, MA 02176.

Their notification to the state, which was filed by their law firm,  did not include a copy of their notification letter to patients, so we do not yet know the full scope of information the employee accessed or why.  A patient registration form on one of the practice’s sites, however, suggests that name, contact details, date of birth, Social Security numbers, employment information, insurance information, and emergency contact information were all in the database.

Notification letters to two patients in New Hampshire were to be sent on or about March 14. It is not clear how many patients, total, were affected by this incident as the report identifies six medical practices whose patients were affected.

In response to the breach, the firm says it is enhancing its privacy and security controls, consulting with professionals about implementing better access control monitoring, and re-training all employees.  Affected patients are being offered credit protection and restoration services through Kroll.

The letter does not indicate whether the employee has been referred to law enforcement for criminal charges.