Tewksbury Hospital has become aware of an incident that may have compromised the security of some patients’ protected health information. While Tewksbury Hospital has discovered no indication that any patient information was actually misused, this notice contains details about the incident and our response to it. This notice also contains important information about steps people can take to protect their information.
In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.
Who is Affected?
Individuals who may be affected include people who were patients at Tewksbury Hospital from 2003 through May 2017. We have provided written notice to affected patients for whom the hospital has current contact information. We are also posting this substitute notice in a good faith attempt to notify affected individuals for whom we have insufficient or out-of-date contact information that precludes written notification, or to whom we are otherwise not able to provide written notice.
What Information Was Affected?
The information that was inappropriately viewed included names, addresses, phone numbers, dates of birth, gender, diagnoses, or other information about medical treatment at Tewksbury Hospital. For some individuals, it may also have included a social security number.
What is Tewksbury Doing in Response?
The individual responsible for this incident is no longer employed by Tewksbury Hospital and no longer has access to the Tewksbury Hospital electronic medical records system. This incident has been reported to the Massachusetts Attorney General’s Office, the Massachusetts Office for Consumer Affairs and Business Regulation, and the U.S. Department of Health and Human Services Office for Civil Rights.
To reduce the chance of future incidents like this occurring, we are reviewing our policies regarding access to the electronic medical records system. We are also reassessing how we review our workforce members’ use of the electronic medical records system, and we will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.
What Can Affected Individuals Do?
There are some things individuals can do if they are concerned about the potential misuse of personal information. Individuals may wish to contact one or more of the three major consumer reporting agencies to take the following steps:
- Notify them of the loss of personal information and request an initial fraud alert to be placed on your credit for 90 days.
- Order a credit report and review it for any signs of fraud on any accounts. For example, look for inquiries listed on the credit report from businesses that accessed your credit without a request.
- Request a security freeze which will restrict the opening of new accounts using your information. Please note that requesting a security freeze on credit may delay, interfere with or prevent timely approval of any requests made for new loans, credits, employment, housing or other services.
Tewksbury Hospital takes patients’ privacy seriously and has been working diligently to investigate this incident. If you have any questions regarding this notice, please call one of these toll free numbers between 9:00 AM and 5:00 PM Monday-Friday.
- Medical Units: 888-850-7541
- Mental Health Units: 888-850-7571