Two former Sentara employees pleaded guilty this month to accessing patients' electronic health records inappropriately in a scheme to file fraudulent tax returns, the health-care system has revealed. Both were nurses' aides, according to Greg Burkhart, chief compliance officer.
It's the second reported security breach of electronic records involving Sentara in less than a year.
The breach exposing patients' personal information — including name, date of birth, Social Security number and address — stretched from September 2011 to April 2013, but largely took place between mid-September 2012 and mid-February 2013. During that time, officials said, the aides accessed the records of about 3,700 patients, most at Sentara Virginia Beach General.
"The proper focus is on the patient, not the facility," Burkhart said, noting that patients move among facilities. The tax fraud "impacted fewer than 200," and they have been contacted by the IRS, which is working with them to repair the information, he added. All potentially affected have received a letter from Sentara explaining the situation and have been offered a year of free credit monitoring through ProtectMyID Alert, which comes with $1 million in theft insurance.
Lawrence Combs, Jr., a Newport News resident, received a letter. Combs, who recently turned 18, went to the emergency room at Sentara CarePlex in Hampton on a couple of occasions last year. "The hospital is supposed to be a safe place. There are too many gaps," said his mother, Clara Strait, expressing fear about identity theft problems surfacing in the future, after the one-year insurance offered by the credit-monitoring company. Her first two calls to the company went to voicemail, and she said she had not yet heard back from anyone with details of the assistance being offered.
For Sentara, the breach followed an incident reported in January, when an employee of Omnicell Inc. had his laptop with unencrypted patient information stolen from his locked car. The California-based medication management system manages Sentara's medication dispensing systems. The information, which potentially affected 56,000 Sentara patients treated in 10 hospitals over a three-week period in 2012, did not include Social Security numbers. "There is no indication that data has been accessed. It appears to have been a crime of opportunity, not for patient information," said Sentara spokesman, Dale Gauding.
In reaction to the local breach, Sentara has implemented a new policy to mask Social Security numbers in the record. That should be complete within the next 30 days. The company is also working to add a new layer of software security to detect inappropriate access more effectively. The process has been under way since before the breach. "It's much like the banking industry. We're always trying to improve it," said Burkhart. The new system is scheduled for full implementation by the end of the first quarter in 2014.
Several thousand of Sentara's 26,000 employees have access to electronic records, including clerical and billing personnel, those in registration, in labs, and nurses and physicians. "Everybody who accesses leaves a digital signature. There are ways to track use," said Gauding, contrasting it with paper files, which allow people to look through without leaving a trail. "These were two people charged in a criminal enterprise, individuals who violated a personal pledge to protect patient information. How many thousands do this properly every day?"
Still, Burkhart described it as "a breach of trust — a significant black eye for us."
With electronic records now the industry standard, health systems have to be constantly on the alert. In May, two certified nursing assistants at Bon Secours Mary Immaculate Hospital in Newport News were terminated for improper use of the hospital's electronic records over the course of a year, from April 2012 to April 2013. They potentially compromised the records of 5,000 patients. The incident is still under criminal investigation, according to spokeswoman Lynne Zultanky.
"We regularly provide our workforce education and training including the penalties associated with inappropriate access, such as immediate termination, reporting of licensed individuals to state licensure boards, and the potential for law enforcement involvement if criminal conduct is suspected," said Kotrina O'Neal, chief privacy officer for Bon Secours Health System.
Since 2009, any records breach that potentially affects 500 people or more must be reported within 60 days to media outlets and the Office of Civil Rights and the U.S. Department of Health and Human Services. Smaller breaches are reported on an annual basis.
Salasky can be reached by phone at 757-247-4784
What can you do?
• If you think your records might have been affected, but you have not received a letter from Sentara by Nov. 1, 2013, you can call 1-866-833-7917 between 9 a.m. and 9 p.m. for information.
• If you believe you are the victim of identity theft, or have reason to believe that your personal information has been misused, you should contact the Federal Trade Commission and/or the attorney general's office in your home state; http://www.ftc.gov/idtheft or 1-877-438-4338; Virginia's Consumer Protection Hotline, 1-800-552-9963, or 804-786-2042.
You should also contact local law enforcement and file a police report; obtain a copy of the latter in case you are asked to provide copies to creditors to correct your records.
• Victims and potential victims of fraud should complete and submit IRS Form 14039, Identity Theft Affidavit. There are two local IRS Walk-In Field Assistance offices: 903 Enterprise Parkway, Hampton; Norfolk Federal Building, 200 Granby St., Room 114, Norfolk; or call IRS Identity Protection Specialized Unit, 1-800-908-4490.