Breach of privacy at St. Joseph's

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.sasklifestyles.com/article/20130628/ESTLIFESTYLES0101/130629920/-1/estlifestyles/breach-of-privacy-at-st-josephs

An employee at St. Joseph's Hospital in Estevan has been fired
following a privacy breach at the hospital.

A regular audit of the pharmaceutical information program determined
that the employee improperly accessed the records of seven
individuals. The information program is a record of prescription
medications that have been filled at community pharmacies in
Saskatchewan. It is used for treatment and care of patients in a
proper manner.

"That information is important for physicians for the treatment of
patients," said St. Joseph's Hospital CEO Greg Hoffort.

All staff members are required to pledge to maintain the privacy and
confidentiality of patient information, and St. Joseph's conducts
regular audits of its records to ensure proper protection of health
information.

The breach was discovered in mid-June.

"The accesses had occurred over the previous couple of months," said Hoffort.

The employee was immediately suspended, and has since been terminated.
The investigation took about a week.

St. Joseph's has filed a report with the office of the privacy
commissioner and is acting under their guidance.

Hoffort said the hospital tries to minimize incidents like this by
having proper protocol and procedures in place.

"Because of that, we were able to find the breach in a timely manner,"
said Hoffort. "From that perspective, in light of a very unfortunate
situation, we're very pleased to learn that we do have those protocols
in place."

The individuals whose records were accessed have been notified.
Hoffort said the hospital regrets that the situation occurred, and it
has apologized to the affected individuals.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.