WATERLOO — UnityPoint Health-Allen Hospital is reviewing a breach of patient information that occurred over about seven years.
The hospital is notifying approximately 1,620 patients a former employee inappropriately accessed their personal information in the hospital’s electronic medical records.
Allen Hospital staff detected inappropriate access to the hospital’s medical records March 14 and opened an immediate review, said Jim Waterbury, the hospital’s vice president for institutional advancement. Staff traced the employee’s unauthorized entries from September 2009 through March 2016.
The employee was authorized to access information of patients necessary to do her job but had no need to access records of the patients in question, Waterbury said, noting that was why the inappropriate access wasn’t immediately detected.
Allen Hospital disabled the employee’s medical record access, took action consistent with its discipline policies and reported the incident to the United States Department of Health and Human Services.
The alleged incident constitutes a violation of the hospital’s patient privacy guidelines under the federal Health Insurance Portability and Accountability Act, or HIPAA. Such violations can result in civil or criminal penalties.
Allen Hospital has received no reports of identity theft related to this incident, Waterbury said. No credit card information was involved. The employee may have seen patients’ names, home addresses, dates of birth, medical and health insurance account numbers and information related to treatment.
In addition, for less than 15 percent of impacted patients she may have seen patients’ Social Security numbers.
“We apologize to our affected patients, and we accept our responsibility to keep this event from happening again,” Waterbury said.
Allen Hospital has mailed letters to all affected patients and is offering them membership in a credit monitoring product at no cost. Patients affected should receive those letters in a matter of days.
The hospital has also provided patients with guidance on other precautionary measures they can take to protect their information, including placing a fraud alert, placing a security freeze and/or obtaining a free credit report.
Allen also is educating to authorized users of its medical records regarding UnityPoint Health’s policies on proper access. In addition, Allen Hospital is implementing additional audits to minimize the risk of a similar incident in the future.
Individuals seeking more information may call a special toll-free line at (877) 332-6271 from 8 a.m. to 8 p.m. Monday through Friday.
Individuals may also call Allen Hospital’s privacy officer at 235-3913 or contact Allen Hospital at 1825 Logan Avenue, Waterloo, IA 50701 Attn: Privacy Officer.
Get local news delivered to your inbox!
Subscribe to our Daily Headlines newsletter.