Adam D. Krauss updates us on an insider breach at Wentworth-Douglass Hospital (WDH) that was covered previously on this site.
Frisbie Memorial Hospital says it will notify the families of two patients whose autopsy reports were altered when a Wentworth-Douglass Hospital employee made unauthorized changes to patients records’ at WDH’s pathology lab.
Frisbie’s plan is one officials at WDH opted against.
“We just think it’s the appropriate thing to do,” said Joe Shields, Frisbie’s vice president of planning and project management.
The breach took place between May 2006 and June 2007 at the hands of a WDH employee who more than 1,800 times accessed patients’ pathology lab records after she was transferred from the lab.
[…]
Shields clarified matters to say the actual changes to the reports don’t necessarily merit notification but it’s a different story since they occurred during the breach.
Moore and Littell allege WDH administration dragged its feet in investigating the breach and only informed the doctors after their dogged insistence.
Read more of this story on Fosters.com.
This breach now becomes part of the debate on why breached entities should not be allowed to determine whether or not to notify people about a breach and should just be required to notify. While it’s somewhat admirable that Frisbie Memorial Hospital is electing to do what WDH declined to do, neither should have been in a situation where notification was optional instead of mandatory.
Crossposted from PHIprivacy.net