“It took a Massachusetts hospital 14 years to detect a data breach. To make matters worse, even after all that time – it wasn’t the medical center itself that discovered the incident.”
“As the state-run institution explains in a statement:
“In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.”
“What, no access controls? And why did the patient suspect someone had accessed their EMR inappropriately? Is this something that the hospital should have detected on its own, that, is, prior to receiving a complaint from the victim?”