Insider Breach Exposes 14,000 UMass Memorial Patients’ Data

Massachusetts’ UMass Memorial Medical Group (UMMMG) recently acknowledged that a former employee may have inappropriately accessed patient information (h/t

The Worcester Telegram & Gazette reports that approximately 14,000 patients may be affected.

On April 9, 2014, UMMMG notified law enforcement after learning that some patient information may have been accessed and used for fraud. After an investigation, an employee was identified who may have inappropriately accessed patient billing records between January 7, 2014 and May 7, 2014.

“We are making this announcement now, because law enforcement investigators required that we withhold notification to our patients while they conducted their investigation,” UMMMG said in a statement [PDF] published on January 30, 2015. “On January 28, 2015, we were given permission by law enforcement to notify and we are notifying potentially affected patients as quickly as possible.”

The information potentially accessed varies in each case, but includes patient names, addresses, birthdates, medical record numbers and Social Security numbers, as well as credit or debit card numbers, phone numbers, email addresses and guarantors’ names.

“To help prevent this type of situation from happening again, UMMMG is further strengthening its privacy and information security program, including identifying additional measures and enhancements to existing safeguards to protect patient information,” the medical group stated.

In a similar breach at California Pacific Medical Center (CPMC), a former pharmacist employee may have inappropriately accessed 844 patients’ records (h/t SC Magazine).

CPMC first discovered the breach during an audit of its electronic medical record system on October 10, 2014, after which 14 patients were notified on October 21, 2014, and the investigation was expanded and a total of 844 potentially affected patients were eventually identified.

The medical center has determined that between October 2013 and October 2014, an employee, who has since been fired, inappropriately accessed the following information: patient demographics, last four digits of Social Security numbers, clinical information including diagnoses and clinical notes, and prescription information.

“CPMC has no evidence of a malicious intent or any unauthorized sharing of patient information by the employee,” the medical center stated. “CPMC believes that the employee accessed the information out of curiosity.”

According to Vormetric‘s 2015 Insider Threat Report, fully 93 percent of U.S. IT decision makers feel their organizations are vulnerable to insider threats — and 59 percent of U.S. IT decision makers believe privileged users pose the greatest threat to their organizations.

A separate survey of 200 federal IT and IT security decision makers conducted by Market Connections in conjunction with SolarWinds found that 53 percent of respondents believe careless and untrained insiders pose the greatest IT security threat to their agencies, up significantly from 42 percent a year ago.

“Interestingly, we have positioned ourselves relatively strongly against external threats, but it is the accidental or malicious insider threat which has caused us more problems,” a director of operations at the Defense Contract Management Agency said in a statement.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles