An employee in the quality research department of Franciscan Health gained unauthorized access to the records of about 2,200 patients in May, the organization reported.
The 12-hospital delivery system based in Hammond, Ind., confirmed the inappropriate access to protected health information. The data breach was found during a routine privacy audit process conducted by the organization.
In a notification letter to patients, Franciscan Health said there is no evidence that the employee—since terminated—downloaded, disclosed or transmitted any of the PHI.
“The affected records include information that was created or received by your healthcare providers in the course of providing treatment, including medical records from other facilities incorporated into the electronic medical record at Franciscan Health,” the organization explained.
At least 18 types of protected health information were put at risk, including demographic data, medical record numbers, diagnoses, lab results, medications, driver’s license numbers, last four digits of Social Security numbers and, for a small subset of patients, complete Social Security numbers.
Affected patients have been notified and are being offered two years of identity theft protection services from one of the three credit rating agencies. “Patients affected are also encouraged to monitor their financial accounts, credit history and explanation of benefits statements as extra precautions,” Franciscan Health counseled.