EHR audit at Nebraska Medicine reveals a data breach

An audit of the electronic health records system at Nebraska Medicine in October enabled the organization to discover a data breach earlier than it would otherwise.

The audit disclosed that an employee was accessing patient records outside of the employee’s job responsibilities. Unauthorized data access occurred between July 11, 2018, and October 1.

Compromised information included nine types of protected health information that included Social Security numbers and driver license numbers, as well as clinical information, physician notes, laboratory results and imaging.

Nebraska Medicine executives say they currently have no evidence that information has been misused and the company is offering one year of identity protection and resolution of identity theft services from Experian IdentityWorks.

Debra Bishop, privacy officer at the organization, apologized to affected patients. “To help prevent something like this from happening again, we are continuing to regularly audit our electronic medical record system for potential unauthorized activity and are retraining staff about appropriate access of patient information,” she says.

The number of persons affected by the Nebraska Medicine data breach has not yet been publicly disclosed, but the size of the breach soon will be posted on the HHS data breach web site.

Greg Wendt, executive director of security solutions at data security vendor Appsian, says Nebraska Medicine was proactive in conducting audits, which minimized the damage to the organization.

Also See: Hack of staff email jeopardizes patient info at Ivy Rehab

However, many providers aren’t implementing technology that provides extensive data protection beyond that offered by simple audits, Wendt contends. “You need to understand what data is being accessed, who is accessing the data and where that access coming is from. If you use enterprise analytics tools, you can be alerted to issues quickly.”

Segregation of duties within an organization, limiting what persons have access rights to, should be implemented, he adds. “The whole idea of data protection is to not be surprised. You need more frequent audits so have a platform in place so you can be notified when something is wrong.”

For reprint and licensing requests for this article, click here.