Round Lake Beach, Ill.-based Hillcrest Nursing Center began notifying more than 1,000 residents in November that one of its staff physicians, who was fired in August, still had access to its EHR after being terminated and viewed their health information.
The nursing center reported the data breach Nov. 24 to HHS as affecting 1,030 individuals. In a notice posted to its website, Hillcrest said that the physician was fired Aug. 4; on Aug. 23, some of the center residents' family members notified Hillcrest that they had received phone calls from the terminated physician discussing the resident's care and treatment.
Hillcrest discovered Aug. 24 that the terminated physician still had access to its EHR system. The center then immediately revoked the physician's access. As a result of the incident, the terminated physician may have been able to access residents' personal information including names, Social Security numbers, insurance information and medical history.
The center implemented a new facility policy to immediately remove users from its EHR system at the time of termination and is also offering free identity theft restoration and credit monitoring services to residents affected by the incident.