Breach

Unauthorized user accesses medical records at Iowa-based health system

October 3, 2013

Nearly two thousand patients may have personal information at risk after an unauthorized user accessed an electronic medical record (EMR) system for Iowa-based UnityPoint Health.

How many victims? Roughly 1,800.

What type of personal information? Names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to patient treatments. Additionally, Social Security numbers and driver's license numbers were accessed for less than 10 percent of affected patients. Financial information was accessed for four patients.

What happened? An unauthorized individual employed by a third party gained access to the EMR system by using passwords of people authorized to view the EMR system for medical purposes. 

What was the response? Passwords were reset to cut off unauthorized EMR system access. A review was conducted by UnityPoint Health and a law enforcement investigation is ongoing. Letters are being sent to affected patients, offering them a credit monitoring product. Authorized users of the EMR system are being provided education on privacy and password policies. UnityPoint will be conducting additional audits to minimize risk of a similar incident.

Details: Unauthorized access to the EMR system occurred between February and August. The incident was learned of on Aug. 8, during a regular audit, when UnityPoint noticed a pattern of unusual access to certain patient data in the EMR system.

Source: “Unauthorized Access of UnityPoint Health Patient Data Under Investigation (PDF),” Oct. 2, 2013.

prestitial ad