UnityPoint Health-Allen Hospital has made the news very recently as one of the latest healthcare environments that had a data breach. While on the surface this news appears to be just another healthcare data breach, there is something very different about it; the breach occurred over a span of seven years and was only recently discovered and reported.
A “former employee” accessed 1,620 patient records that contained personal information and may have seen patients’ names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to their treatments.
The Allen Hospital compliance team detected inappropriate access that started in September 2009 and ended in March 2016. They started a review that resulted in the notification of the breach to the U.S. Department of Health and Human Services and impacted patients.
Why was this inappropriate access not immediately detected with all the technology in place to ensure HIPAA compliance? What was missing?