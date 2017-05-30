A Trios Health employee improperly accessed the electronic medical records of about 600 patients over 3 1/2 years, the Kennewick health system announced Tuesday morning.
The records may have included information related to Trios Health visits, not including visits to outpatient Trios Medical Group providers, as well as diagnoses, demographic information such as addresses, phone numbers and driver’s license numbers, and also social security numbers, Trios officials said in a statement.
The breach recently was discovered. Affected patients are being notified by mail.
The employee has been fired.
“Based on our investigation thus far, this appears to be an isolated case in which the gathering and use of patient information for purposes of identity theft was not a motivation,” said Elizabeth Rice, director of Health Information Management and compliance officer, in a statement.
However, Trios will pay for affected patients to enroll in enroll in free identity theft protection and credit monitoring services for one year, the health system said.
The improper access happened between October 2013 and March 2017, and came to light after Rice came on board to provide patient information and compliance oversight.
“Thoroughly examining and tightening up potential compliance issues is one of the major action items outlined in the operational improvement plan Trios Health is diligently working through right now,” said Craig Cudworth, chief restructuring officer and interim CEO, in the statement.
Rice took over the role in March and she and her team began a planned review process. Once the breach was discovered, “we took immediate action to investigate it, notify the appropriate parties, and begin putting additional protections in place to prevent it from happening again,” Rice said.
Trios has notified the state Attorney General’s office and the federal Office of Civil Rights (OCR), and may face fines..
“It is not yet known what the total fines will be or what other corrective actions may entail,” the statement said.
“We are operating under full disclosure to the OCR and the Washington State Attorney General’s office as our investigation continues,” Cudworth said. “Compliance and accountability are non-negotiable in healthcare, as it should be in any industry, and we will continue to uphold this standard as we work through this matter and going into the future. We cannot succeed as an organization without holding ourselves and others responsible for mistakes and taking decisive action to address them.”
Trios isn’t naming the employee or saying which department he or she worked in. The employee had access to the records systems as part of his or her job duties, but the investigation revealed the employee looked up patient records when there was no direct job-related reason. That’s a violation of the Health Insurance Portability and Accountability Act, or HIPAA.
Affected patients should be getting letters about the breach this week. Patients who are concerned but haven’t received a letter, or who don’t have a mailing address on file with the health system, should call the Health Information Management department at 509-221-5720 (option 2) between 7 a.m. and 4 p.m. weekdays. A Frequently Asked Questions page is online at trioshealth.org/privacy.
People can submit questions not answered there to Privacy@trioshealth.org.
This is a developing story. This post will be updated.
