A radiologist contracted by Griffin Hospital, a 160-bed acute care community hospital in St. Derby, Conn., has breached images of 957 patients. The radiologist accessed the reports on the hospital's PACS system, downloaded image files of 339 of these patients, and even contacted some of the patients offering to provide professional services at another area hospital.
Hospital officials said they have notified the 957 patients after an investigation, prompted by patient inquires, revealed the breach, which occurred during the period from February 4 to March 5, 2010.
"Griffin Hospital has stringent policies, procedures and systems in place to protect patient information and takes very seriously our obligation to safeguard the personal and health information of our patients," said Griffin President Patrick Charmel. "This breach, however, appears to have been a deliberate intrusion into Griffin's Digital Picture Archiving and Communication System (PACS) to view patient radiology reports. We acted quickly to complete an audit and investigation and to notify affected patients. As a result of this breach, steps are underway to further strengthen the security of patient information. We regret that this incident has occurred, and are committed to prevent future such occurrences," Charmel said.
The radiologist previously, but not currently, affiliated with the hospital or on the Griffin Hospital Medical Staff accessed the reports using the passwords of other radiologists and an employee within the radiology department without their knowledge, according to hospital officials.
The physician's employment with the radiology group was terminated on February 3, 2010, which also resulted in the loss of his medical staff appointment at Griffin Hospital. The hospital also engaged with legal counsel who issued a cease and desist demand to the physician on March 5, 2010.
The hospital's investigation included an audit of information captured by PACS that revealed the repeated, unauthorized access from a single computer at a particular Internet Protocol (I.P.) address using the password of other physicians and employees.
Hospital officials said they have changed all of the passwords for PACS users whose passwords were identified as having been used without authorization.
The information accessed in the PACS directory that was scanned included patient name, exam date, exam description, gender, age, medical record number and date of birth. Patients' Social Security numbers and patient financial information are not information in the directory accessed, officials said.
Griffin is following all of the requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act, said officials, including: notification of the U.S. Secretary of the Department of Health and Human Services, notification of patients that may have had their personal protected health information accessed in the breach, public disclosure to the local media through media notification, and posting information about the breach on Griffin's Web site. Griffin officials have also notified the Office of Connecticut Attorney General Richard Blumenthal about the breach.
