PHI Disposal

A former Loyola University employee is charged with a felony after stealing a patient’s identity

Author Name Patrick Ouellette

A former Loyola University Medical Center nurse, Katrina R. Spears, was charged with felony identity theft on Sept. 8 after stealing a Loyola patient’s identity and heavily affecting her credit. Riverside, Illinois police, according to chicago.cbslocal.com, revealed that Spears had opened several credit accounts in a Riverside patient’s name and purchased thousands of dollars’ worth of clothing.

After the patient underwent a medical procedure at Loyola University Medical Center in Maywood, she explained to the Riverside police on Aug. 27 that she began having odd credit interactions with several businesses. Because Spears purchased several items using the patient’s credit card and had them sent to her home in Chicago, police were able to track her down by trailing the transactions back to an IP address within the hospital. And the Loyola security and IT departments were able to confirm that Spears had logged in with her user name and password.

In what appears to be an intensive process, the Riverside police are still helping the patient clear her name among credit companies and explain that her accounts had been hacked. Spears, according to chicago.cbslocal.com, was held on a $10,000 bond and a preliminary hearing that had been set for Monday, Sept. 16 in Maywood.

For Loyola University Medical Center, this case appears to call into question what type of role-based access (RBA) their infrastructure uses and whether they regularly employ user activity monitoring. Though Spears was a nurse, should she have been digging through this patient’s file as part of her job? HealthITSecurity.com will provide any follow-up details surrounding the case.

Data breach updates

PHIPrivacy.net also reported that a few updates were made to the Department of Health and Human Services (HHS) breach tool that hadn’t been accounted for previously. Though some are sparse on details, they are still now included on the HHS tool:

Kaiser Foundation Health Plan of the Northwest – This 647-patient breach happened on March 15, 2013 and looks to be different than the recently-reported Kaiser breach.

Summit Community Care Clinic – Summit, located in Colorado, experienced an IT breach that on July 22 that affected 921 patients. PHIPrivacy.net reached out for information, but hasn’t heard back.

Minne-Tohe Health Center/Elbowoods Memorial Health Center – This was a relatively dated breach that affected 10,000, as the North Dakota incident apparently happened on Oct. 1, 2011.

Logan Community Resources, Inc. – Logan, of Indiana, revealed that 2,900 patients were impacted by an Aug. 24, 2012 breach.

St. Francis Health Network (Franciscan Alliance ACO) – The Indiana organization reported that a breach involving Advantage Health Solutions affected 2,575 patients, according to PHIPrivacy.net.

Article Sourced From: http://healthitsecurity.com/2013/09/18/loyola-university-medical-center-reports-patient-data-breach/