Tewksbury Hospital fires employee after long-term snooping

Register now

An employee at Tewksbury Hospital in Massachusetts was found to be occasionally snooping in patients’ electronic medical records without clinical justification.

The inappropriate access of medical records occurred from 2003 until it was discovered this past spring. Now, the facility—one of four hospitals in the Massachusetts Department of Public Health serving complex chronically ill adult patients and psychiatric patients—has notified more than 1,100 affected individuals.

Tewksbury officials say they learned of the breach in April, when a former patient expressed concern that their medical record may have been inappropriately accessed. Compromised data included names, addresses, dates of birth, gender, diagnoses and medical treatments. Less than half of the records involved viewing of Social Security numbers, according to the hospital.

Also See: Beacon Health System reports breach from employee snooping

The state’s department of health said it has terminated the employee.

“To reduce the chance of future incidents like this occurring, we are reviewing our policies regarding access to the electronic medical records system,” Tewksbury executives noted in a statement. “We are also reassessing how we review our workforce members’ use of the electronic medical records system and will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.”

Tewksbury Hospital is advising affected individuals to notify credit reporting agencies, order a credit report and review it for signs of fraud, and request a security freeze to prevent the opening of new accounts using the compromised information.

In its notification to patients, Tewksbury is not offering credit monitoring or identity theft protection services. Currently, there is no indication that information has been accessed or misused, according to a spokesperson for the hospital.

The hospital declined to provide additional details about the incident, and did not comment on why the inappropriate access had gone undetected for 14 years.

For reprint and licensing requests for this article, click here.