DCH Employee Fired After Accessing Confidential Information of Over 2,500 Patients
Tuscaloosa's DCH Health System has fired one of its employees who was found to have accessed private information from more than 2,500 patients since September 2021.
According to a release from DCH spokesperson Andy North, during a routine privacy audit last month, it was discovered that a hospital employee had accessed the electronic medical records of a patient on December 5 without having an apparent reason to do so.
North said further investigation revealed the employee had accessed and viewed additional DCH patient electronic medical records between September 2021 and December 9, 2022 without a legitimate business need related to the employee's job duties.
DCH Health System said the information that was accessed included patients' names, addresses, dates of birth, social security numbers, dates of encounters, diagnoses, vital signs, medications, test results and clinical or provider notes.
Approximately 2,530 patients were affected and notified by the health system as a result of the incident.
DCH Health System said they take its responsibility to safeguard protected health information very seriously and immediately took action against the employee, whose identity was not released, as well as offered resources to those affected.
"DCH Health System immediately suspended the employee and terminated the employee’s access to all medical records and other information systems," the release read. "Upon further investigation to assess the information impacted, DCH subsequently terminated the individual’s employment one business day after initial discovery."
The release said DCH System has engaged a data breach recovery expert and established all required and necessary communications to the affected patients and regulatory officials, notifying all affected patients by mail of the data breach on January 17.
The health system also provided free identity theft protection services, including credit monitoring, to all patients whose insurance group and subscriber or policy numbers may have been involved.
The release states the health system will continue "to provide ongoing mandatory HIPAA and privacy training to its workforce members regarding appropriate access, use and disclosure of protected health information" and "use this incident to improve our privacy monitoring tools and processes."
Anyone who did not receive notification of the breach but would like to receive information to know if their privacy was compromised can call toll-free at 1-855-624-6814.
The call center will operate from Monday through Friday from 8 a.m. until 5 p.m. excluding major holidays. The number will be operational until April 17.