News Feature | May 12, 2014

UMass Notifies Patients Of Data Breach

Christine Kern

By Christine Kern, contributing writer

UMass Patient Data Breach

UMass has notified more than 2,400 patients of data breach caused by an ex-employee.

UMass Memorial Medical Center (UMMMC) of Worcester, MA, following a two-month investigation, announced it has alerted more than 2,400 affected patients of a data breach involving inappropriate internal access. UMMMC claims the two-month delay was a result of the investigation to determine how long the ex-employee had access to the data. The organization plans to improve its privacy and security program as a result of the breach.

According to the Worcester Business Journal, four patients’ data was initially found to be accessed and potentially misused by a former employee between May 6, 2002 and March 2014. Although UMMMC said in its statement it doesn’t believe that the data has been misused, it has notified an additional 2,400 patients that their data may have been accessed.

The statement reads, in part: “The information may have been used to open commercial accounts, such as credit card and cell phone accounts. Upon receiving this information, UMMMC immediately began an internal investigation. We continue to investigate and cooperate with law enforcement. Our investigation has determined that the employee had access to patient information such as name, date of birth, Social Security number, and address at some point between May 6, 2002 and March 4, 2014. We are not aware of the misuse of any medical information.”

The hospital is not admitting that any fraud occurred, but has reason to believe that the employee may have accessed the names, addresses, dates of birth and Social Security numbers of four patients outside of normal job duties. “The information may have been used to open commercial accounts, such as credit card and cell phone accounts.”

An investigation revealed the now ex-employee accessed information on about 2,400 additional patients although no there is no indication the data was misused. “If any access to patient information occurred outside of normal job duties, it would have been during the former employee’s tenure from May 2002 to March 2014,” according to the hospital statement.

The investigation with law enforcement continues. The university is presently not at liberty to disclose how it learned of the impermissible access to information, but a spokesperson says there is no known access outside of normal job duties until 2011.

UMass Memorial is offering one year of free credit monitoring and identity theft protection services from Experian to all 2,400 potentially affected patients. Breach notification services firm Immersion Ltd. of Claysburg, Pa., has been contracted to handle mailings and a call center, and patients who are aware of misuse of their information to open commercial accounts should contact the call center.