‘Unauthorized Access’ To Patient Data After Medical Transcription Lapses

Jay Decenella, IT audit expert
August 03, 2011 /

A medical transcription company in the Philippines has been implicated in a data breach involving nonpublic data of patients in Tallaght hospital in Dublin, Ireland.

Acting chief John O’Connell said the scale of the breach appears to be much wider, having gone beyond Tallaght hospital after “unauthorised access and disclosure” was spotted when the data was sent to the Philippines for transcription.

It is understood that Tallaght hospital has entered into private arrangements with Irish-based Uscribe, though its management maintained that the hospital does not outsource medical transcription services.

Its arrangement with the transcription company has been terminated in May. Tallaght hospital is now using another service provider.

“On the termination of the contract with the dictation service, the hospital continues to ensure that all data is being returned and hospital staff have been processing uncompleted correspondence,” O’Connell said.

At issue is the data breach that hit the records of individual patient information. The hospital clarified that the unauthorized access involved only consultations with doctors and not the full medical records.

However, some personally-identifiable information has been reportedly leaked in some cases.

Early this year, 60,000 individuals who have records in the two stolen computers from Ottawa-based Bruyere Family Medical Centre had faced the risk of data breach, as confirmed by president and CEO Jean Bartkowiak in the filings submitted to Ottawa police and the Office of the Information and Privacy Commissioner of Ontario.

In a statement, O’Connell said: “Tallaght Hospital has asked the Garda Síochána to assist it in determining how sensitive patient information got into inappropriate hands.

“The hospital has been working closely with the National Bureau of Investigations in the Philippines and the UK Information Commissioner.”

Tallaght hospital’s IT director has been in the Philippines over the last week to assist legal authorities investigating the case, O’Connell said, adding that he has been working closely with the Data Protection Commissioner over the last two weeks.

Upon taking up his position in July 2010, the hospital administrator said he had instructed that the transcription service be evaluated.

O’Connell blamed the hospital’s custom of changing service provider and putting in place new policies and procedures. He said the material for transcription has always been encrypted as one of the IT security practices in the hospital.

He added: “Since 2010, it has also been the policy of the hospital that no patient identifiers should be used; regrettably, this policy has not always been followed in practice.

“Some letters were dictated which did not come back transcribed. While it was the policy of the hospital to keep information sheets for each letter, this practice was not followed universally.”

Deputy data protection commissioner Gary Davis said the hospital was taking the matter seriously, adding that it had sent its IT manager to the Philippines to liaise with the medical transcription company.

O’Connell will meet with the Data Protection Commissioner’s office today.

Meanwhile, Minister for Health James Reilly urged Tallaght hospital to notify affected patients about the data breach.

 

Share your opinion