UMMMC learned of the access, which may have taken place over a 12-year period, on March 6, 2014. "Our investigation has determined that the employee had access to patient information such as name, date of birth, Social Security number, and address at some point between May 6, 2002 and March 4, 2014," the hospital said in a statement [PDF].
According to the hospital, the data may have been used to open credit card and cell phone accounts, though there's no indication at this point that any of the information was actually misused.
"UMMMC has had a privacy and information security program in place for several years, and we want to assure our patients that we are committed to the security of patient information and taking this matter very seriously," the hospital added. "To help prevent this type of situation from happening again, UMMMC is further strengthening its program, including identifying additional measures and enhancements to existing safeguards to protect patient information. UMMMC is also re-enforcing staff education regarding our policies and procedures to safeguard patient information."