LINCOLN, Maine — Health Access Network is warning “a very small number” of its 17,000 patients to beware of identity theft after firing a new employee for improperly accessing patient clinical information, its CEO said Wednesday.
The federally funded community health center contacted the U.S. attorney general’s office and the Department of Justice on Monday and began mailing letters to affected patients last week. The letters advised the patients to monitor their “various accounts to ensure there is no suspicious activity,” according to a copy a patient gave to the Bangor Daily News on Tuesday night.
Health Access officials had not received any complaints of the data being used criminally as of Wednesday, Chief Executive Officer Bill Diggins said. Citing advice from legal counsel, he declined to identify the fired worker and described the number of patients involved as “less than 500.” Federal law requires that public notices go to media if 500 or more patients’ records are invaded, Diggins said.
The worker had access to patient billing information — including Social Security numbers and payment arrangements — as part of her job, but she was fired after computer tracking indicated that she inappropriately opened clinical data. That includes patient visit notes, diagnoses and plans of care, Diggins said.
“We know from the computer that no copies were made, but beyond that, we don’t know what she wrote down,” Diggins said Wednesday.
One of the victims, 29-year-old Medway resident Nichole Booton, said she found the data breach “both terrifying and infuriating.”
“To find out that your financial information and Social Security number have been illegally accessed and not knowing what has been done with that information, or who has done it, is the worst feeling,” Booton said.
Diggins explained the approximately two-month gap between first discovery of the breach and first notification mailing by saying that the time was well within the 60-day requirement for action mandated by the federal Health Insurance Portability and Accountability Act, or HIPAA.
“Our investigation required a detailed review of every patient record this employee had accessed during the time of her employment. That’s our reason for it,” Diggins said. “We did enough of an investigation to see if there was proof. We did not know what the total access was, and we had to review every file she had contact with or opened. Then we had to determine whether her access was appropriate, and that took until the letters went out.”
The breaches occurred between June and August and were discovered on Aug. 18. When confronted that day by Health Access supervisors, the woman did not say why she accessed the records. She was fired that day, Diggins said.
Health Access officials then began taking steps required by HIPAA. They completed their review by Sept. 27 and, with help from their attorneys, drafted letters tailored to each victim and began mailing them on Oct. 13, Diggins said.
The federal notification came on Monday because regulations require that at least some remedial actions be included in Health Access’ report to federal officials, Diggins said. He said he did not know what the agency would have done if criminal violations had been reported sooner.
“This is the first such incident we’ve dealt with,” Diggins said.
Only patients whose files were invaded were sent letters, Diggins said.
HIPAA violators can face civil fines of $100 to an annual maximum of $1.5 million, according to the U.S. Government Publishing Office website. Violators in criminal cases involving the acquisition or disclosure of medical or financial data can face fines up to the annual maximum and one to 10 years of imprisonment.
The breach has compelled Health Access officials to require regular audits of all new employees’ usage of medical records “until they establish that they understand their obligations,” Diggins said.
The agency employs 120 workers. More procedural changes are likely, Diggins said.
Booton praised Health Access officials for their kindness and quick responses to questions. The two-month gap, however, “sort of makes it all the more terrifying, actually, because not all of us pay close attention to our accounts every day.”
“So now, it’s not only [that you have to] pay attention to your accounts from here on out. We now have to go back through every purchase from June to today,” Booton said.
“You just hope for justice in this all, and answers,” she added. “I hope that charges are pressed on whoever has done this, and that there are consequences for her actions, particularly where this has happened to so many of us, and based upon the varying information that was accessed — financial for some, medical for others.”
Diggins advised any Health Access patient concerned about the breach to call the center at 794-6700 for information.