accessed patient information outside of their normal job duties.
How many victims? 1,029, according to reports.
What type of personal information? Names, dates of birth,
ages, genders, medical record numbers, and treatments and/or diagnosis
information. In some instances, health insurance information and Social
What happened? An employee of a Meritus Medical Center vendor may have accessed patient information outside of their normal job duties.
What was the response? Meritus suspended the employee's access
to its systems and conducted an investigation. Meritus is working to
further strengthen controls related to vendor access to patient
information, and is enhancing its existing system monitoring
capabilities with regard to vendor access. All potentially impacted
patients are being notified.
Details: The incident was discovered by Meritus on May 4
during its routine compliance and self-audit efforts. The employee may
have accessed the data between July 2014 and April 2015.
Quote: “Even though we have no evidence that any of this
information has been misused, we began mailing letters to affected
individuals on June 26, 2015, and have established a dedicated call
center to answer any questions they may have,” a notification posted to
the Meritus website said.
Source: meritushealth.com, “Notice to Meritus Medical Center Patients Regarding Privacy Incident,” June 26, 2015.