Internal and external investigations in Minnesota reveal that the state is suffering its fair share of medical data breaches. While the ramp-up to implementation of the Affordable Care Act has generated tales of larger-scale data breaches in densely-populated states like California, there’s evidence that the sparser Land of 10,000 Lakes is carrying its proportionate share of the responsibility for patient information improprieties.
In late-October, the Minneapolis-based Allina Health System fired a medical assistant after it was determined by an internal investigation that she viewed the electronic records of patients without authorization over a three-year period. Almost all of the 3,907 patients whose records were accessed had been treated at the Inver Grove Heights Clinic where the woman worked. The Allina system is composed of eleven hospitals and more than fifty physician clinics, where caregivers use the electronic record system to manage patient information.
Allina began its investigation after a co-worker reported what seemed to be the unauthorized access of patient records by the medical assistant in question. Such staffers generally perform tasks such as escorting patients to exam rooms and collecting blood pressure, temperature, and weight information. Although not authorized to do so, the now-terminated employee gained access to patients’ demographic, clinical, and insurance information, as well as the last four digits of their Social Security numbers. Her improper accesses were determined to have occurred from February 2010 until September 2013.
There was no evidence the woman had used information for financial gain and the health system did not determine a motive for the data breaches. Allina did not find that the woman accessed the medical records for identity theft purposes and to prevent a recurrence, officials said the health system is evaluating its policies on patient information and examining its computer security programs.
According to a St. Paul Pioneer Press story on the results of the Allina probe, this is not the company’s first data-breach rodeo. In May 2011, it fired 32 employees for improperly viewing medical records of patients who were involved in a mass drug overdose in Blaine. And the rest of the state has been doing its share, as well:
“Since 2009, there have been 682 breaches reported to the federal government that involve more than 500 people per incident. Twelve of these breaches have been reported in Minnesota, including an incident last summer at Fridley-based Medtronic and a 2011 case where a laptop computer with patient data was stolen from a contractor working for Minneapolis-based Fairview Health Services.
‘Covered entities were only required to begin reporting breaches of unsecured protected health information to (the government) in 2009,’ Rachel Seeger, spokeswoman for the Department of Health and Humans Services, wrote in an email.
She said the 682 breaches have involved ‘the protected health information of roughly 27 million people.’
The Minnesota reports, which don’t include the latest Allina incident, affected 69,668 people, Seeger said.”
According to anecdotal evidence trickling out, data breaches and misuse are continuing to grow under the ACA with the increased amount of patient information being inputted into state insurance exchanges, provider networks, and health systems. Look for them to continue and to likely increase in Minnesota and across the country, where investigations will continue and the results will add to already-shocking tallies.