Mercy Health revealed that it had fired an employee who was responsible for an insider breach involving its systems.

On December 4, Mercy Health posted a notice informing its patients of a medical records incident that had occurred earlier in the year.

The bulletin explained that Mercy Health, the fifth largest Catholic health care system in the United States, had learned on October 7 that a former employee had accessed medical record information that was not essential for the performance of their work-related duties.

That medical record information included patients’ names, dates of birth, addresses, medical record numbers, treatment details and radiology images, among other pieces of data.

The employee had also accessed the health insurance ID numbers for a small number of patients, Mercy Health explained, though they had not viewed patients’ credit card credentials or financial details.

The health care system confirmed that it had taken steps to address the security incident. As quoted in its notice:

Upon discovering the incident, Mercy immediately investigated the incident and made additional enhancements to procedures to prevent a similar incident from happening in the future. Additional education was provided to staff regarding compliance with the organization’s policies and procedures. The employee who accessed the information no longer works at Mercy.

Mercy Health noted that it would be offering free membership to IDX’s identity theft protection services for the span of a year.

Additionally, it highlighted other efforts that individual patients could take to protect themselves against identity theft. It specifically recommended that patients potentially affected by the security incident monitor their account reports and billing statements for unexpected charges, remain vigilant for emails and phone calls that might request personal information as well as consider placing a fraud alert or a security freeze on their credit files.

This incident underscores the (Read more...)