Home page logo

dataloss logo Data Loss mailing list archives

EMR vendor at fault in patient data breach
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Tue, 19 Mar 2013 10:19:08 -0400


Lawrence Melrose Medical Electronic Record, Inc., (LMMER) an EMR
vendor serving clients in New Hampshire and Massachusetts, has sent a
letter to the New Hampshire Attorney General’s office notifying
authorities of a data breach involving its software.  An unauthorized
employee accessed the EMRs and registration information at six
Melrose, MA practices, including social security numbers, date of
both, emergency contact information, and employment and insurance

While information is scarce and LMMER doesn’t have a registered
website, the company’s letter suggests that a hole in the software’s
security measures may have been to blame for the breach.  “LMMER is in
the process of implementing privacy and data security enhancement
measures in response to this incident,” the letter to Attorney General
Michael A. Delaney states, “including increasing the profile of
privacy and data security issues at all levels, re-training employees
of the participating medical groups…and engaging consultants to
develop a tool for more effectively monitoring access to patient
medical records.”

The employee who accessed the records has been terminated, said Rick
Pozniak, systems director of marketing and communications at Hallmark
Health System, which organized the medical records corporation. “Both
the physician’s practice and HHS deeply regret and apologize for any
concern or inconvenience this situation may cause the patients,” said
Pozniak in a statement. “We are in the process of reviewing the
privacy and security of our electronic medical records system and
making improvements to the security safeguards we currently employ.”

LMMER will provide a free year of credit monitoring and identity theft
counseling for the affected patients, although it isn’t clear how many
have been affected by the incident.  Letters to two New Hampshire
patients were sent on March 14.  The six practices involved in the
breach are: Canan Avunduk, MD (Baystate Gastroenterology), Maury
Goldman, MD, Hallmark Health Medical Associates, John Mudrock, MD,
Main Street Family Practice, and Women’s Healthcare Associates.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list


Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.

  By Date           By Thread  

Current thread:
  • EMR vendor at fault in patient data breach Erica Absetz (Mar 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]