WATERLOO, Iowa — Personal information of roughly 1,620 UnityPoint Health patients was “inappropriately accessed” by a former employee at Allen Hospital.
Staff found out what the employee had been doing on March 14, 2016 and started a review, according to a statement from UnityPoint. It turned out that she had been making unauthorized entries on the hospital’s electronic medical record (EMR) for almost seven years, dating back to September 2009.
“Allen Hospital promptly disabled the employee’s medical record access, took action consistent with our discipline policies and has reported the incident to the United States Department of Health and Human Services,” read the statement.
While accessing the EMR, the employee was able to see patient’s names, addresses, birth dates, insurance account numbers, and medical treatment information, according to the statement. The review found that she may have also seen social security numbers for about 240 patients. There was no credit card information involved.
“We apologize to our affected patients, and we accept our responsibility to keep this event from happening again,” said Allen Hospital spokesman Jim Waterbury.
All the patients whose security has been breached have been notified by mail, the statement said. Additionally, they have all been offered a free membership to a credit monitoring service.
As of Thursday, May 12, 2016, there haven’t been any reports of identity theft from the situation. There was no indication that any criminal charges were filed.
In their statement, UnityPoint Health explained that while it’s “on a strict need-to-know basis,” employees are given access to the EMR. So, in order to do her job, the employee was allowed to use the system, but she apparently “had no medical need to know or access the patient information under review.”
There has been a line specifically set up to answer questions about the breach. Call 877-332-6271, if you have questions or concerns. The line is open Monday through Friday from 8 a.m. to 8 p.m. Central Time.