Ohio Medical Practice Fires Employee Over Patient Privacy Breach


A healthcare provider based in the US state of Ohio has released a statement saying it fired an employee for snooping in on patients’ records, showing transparency amid unfavorable news. Credit card information was not accessed, the practice says.

Mercy Health, a Catholic healthcare provider with locations in Ohio and Kentucky, says the news release is meant “to provide notice about a medical records privacy incident affecting patients who received services” at its medical facilities.

As the story goes, in early October a Mercy employee accessed medical record information that the person didn’t need to do the job. The information included names, addresses, dates of birth, medical record number, treatment and other clinical information and/or radiological images, as well as other demographic information.

The employee did this repeatedly, breaching the privacy (and potentially the security) of several Mercy patients. For a small number of customers, the employee also accessed health insurance identification numbers, according to the notice.

“Credit card numbers and other financial information were not accessed,” the practice says. “The employee who accessed the information no longer works at Mercy,” it adds.

After discovering the breach, Mercy immediately started an investigation.

The provider made “additional enhancements to procedures to prevent a similar incident from happening in the future,” it says.

“Additional education was provided to staff regarding compliance with the organization’s policies and procedures,” according to the press release.

It’s unclear why the employee breached patient data. However, the announcement alludes to an intent to commit fraud, with Mercy urging affected parties to keep a close eye on credit reports and account statements for unauthorized activity.

The provider also tells patients to watch out for phone calls or emails requesting personal information (i.e. phishing), and encourages them to contact consumer reporting agencies to place a fraud alert on their credit report.

Finally, “out of an abundance of caution,” Mercy is offering all affected individuals free identity theft protection services for one year through IDX, the nation’s largest provider of data breach response services.