Nebraska Medicine Breached By Rogue Employee

nebraska medicine data breach

Nebraska Medicine is warning that a rogue, former employee accessed patients’ medical records, Social Security numbers and more.

Hospital network Nebraska Medicine has disclosed a data breach after a former employee accessed sensitive patient data – including medical records and Social Security numbers.

The Nebraska Medicine network encompasses Nebraska’s largest hospital, Nebraska Medical Center, as well as other locations like Bellevue Medical Center. On Oct. 1, during an audit of its electronic medical record system, Nebraska Medicine discovered that an employee had accessed patient records “outside of the employee’s job responsibilities.” The employee was terminated the next day.

“Once Nebraska Medicine became aware of the incident, our staff took action to investigate, prevent further improper access and to notify affected patients,” a spokesperson told Threatpost.

After further investigation, the company determined that the unauthorized access occurred between July 11, 2018 and Oct. 1, 2019, and that the employee was able to view some patients’ medical records.  The information that was viewed may have included patients’ demographic information (such as name, address, date of birth, medical record number, Social Security number, license number); and clinical information, such as physician notes, laboratory results or imaging data.

Nebraska Medicine did not comment on how many patients were affected.

Despite stressing that it has “no reason to believe the information accessed has been or will be misused,” the healthcare provider is offering free credit monitoring for a year for patients whose Social Security numbers or driver’s licenses were accessible.

The healthcare industry continues to be battered by security incidents; in October in fact, healthcare data breaches soared 44 percent month-over-month, with 661,830 healthcare records being exposed or stolen during the month. Of these incidents, 28 involved unauthorized access or disclosure breaches similar to that of Nebraska Medicine.

Other hospitals and healthcare networks that have been breached over the past few months include Betty Jean Kerr People’s Health Centers (152,000 records exposed as a result of a ransomware attack); Kalispell Regional Healthcare (140,209 records thanks to a phishing effort); the Methodist Hospitals (68,039 records exposed via phishing), and the DCH Health System (struck by a ransomware attack). The impacts of these breaches are dire both for patients and in some cases for hospitals themselves —  in August, California-based Wood Ranch Medical announced that it was shuttering operations after the provider was unable to recover patient records on the heels of a ransomware attack.

To help prevent future similar incidents, Nebraska Medicine said it will continue to regularly audit their electronic medical record system for potential unauthorized activity, and are also retraining staff about appropriate access of patient information.

“Anyone with questions may call toll free 1-844-416-6280, Monday through Friday, between 8 a.m. and 5 p.m. CST,” the spokesperson said.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles