Meritus Medical Center notifies patients of improper access to data
Maryland-based Meritus Medical Center is notifying more than a thousand patients that an employee with one of its vendors may have accessed patient information outside of their normal job duties.
How many victims? 1,029, according to reports.
What type of personal information? Names, dates of birth, ages, genders, medical record numbers, and treatments and/or diagnosis information. In some instances, health insurance information and Social Security numbers.
What happened? An employee of a Meritus Medical Center vendor may have accessed patient information outside of their normal job duties.
What was the response? Meritus suspended the employee's access to its systems and conducted an investigation. Meritus is working to further strengthen controls related to vendor access to patient information, and is enhancing its existing system monitoring capabilities with regard to vendor access. All potentially impacted patients are being notified.
Details: The incident was discovered by Meritus on May 4 during its routine compliance and self-audit efforts. The employee may have accessed the data between July 2014 and April.
Quote: “Even though we have no evidence that any of this information has been misused, we began mailing letters to affected individuals on June 26, 2015, and have established a dedicated call center to answer any questions they may have,” a notification posted to the Meritus website said.
Source: meritushealth.com, “Notice to Meritus Medical Center Patients Regarding Privacy Incident,” June 26, 2015.