Griffin Hospital has notified 957 patients of an apparent breach of personal protected health information during the period from Feb. 4 to March 5, after an investigation prompted by patient inquiries revealed the breach.
Based on available information, Griffin, which is located in Derby, Conn., said that a radiologist previously, but not currently, affiliated with the hospital or on the Griffin Hospital medical staff accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge.
From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.
On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.
The physician was formerly a member of Griffin’s medical staff who had been employed by the radiology group with which Griffin contracted for its radiology professional services. During that time, the physician had authorized access to the PACS. Thereafter, the physician's employment with the radiology group was terminated on Feb. 3. That resulted in the loss of his medical staff appointment at Griffin Hospital and his authorization to access PACS. At the same time as the physician's PACS access was terminated his access password was revoked, according to the hospital.
"Griffin Hospital has stringent policies, procedures and systems in place to protect patient information and takes very seriously our obligation to safeguard the personal and health information of our patients," said Griffin’s President Patrick Charmel. "This breach, however, appears to have been a deliberate intrusion into Griffin's digital PACS to view patient radiology reports…As a result of this breach, steps are underway to further strengthen the security of patient information. We regret that this incident has occurred, and are committed to prevent future such occurrences.”