Scott Daugherty has an update on an insider breach involving two former Sentara Healthcare nurse’s aides. It turns out that they accessed the information of 3,700 patients between September 2011 and April 2013. Most of the victims were patients at Sentara Virginia Beach General Hospital between September 2012 and February 2013.
Sentara Healthcare’s chief privacy officer, Greg Burkhart, announced the scope of the data breach Friday after the second of the two men pleaded guilty in U.S. District Court to conspiracy to defraud the government.
While court documents indicate fewer than 250 victims fell victim to the scheme, Burkhart said the federal investigators have forwarded to the hospital evidence the two men had information on thousands of patients.
Read more on Virginian Pilot. Notification letters will be going out next week, although it’s not clear when Sentara first learned of the scope and identities of the 3,700 patients. Nor is it clear how nurse’s aides were able to access so many patients’ information in a 5-month period without the system’s security detecting anomalous behavior.
Note that this breach has never appeared on HHS’s breach tool, possibly because Sentara thought/reported that less than 500 were involved. It will be interesting to see if and when this shows up on the public breach tool.