Mason City-based Mercy Medical Center-North Iowa mailed notification letters to about 1,900 patients after discovering a former employee may have inappropriately accessed their protected health information, the Globe Gazette reports.
The former employee accessed patients' birth dates, addresses, medication listings and insurance information between July 2017 and July 2018, according to an internal investigation. Hospital officials couldn't confirm whether all the records accessed were viewed for "appropriate job-related purposes."
"We deeply regret this event and apologize to you for this individual's actions. Inappropriate access to [EHRs] is contrary to Mercy Medical Center-North Iowa's policies and inconsistent with the high expectations we place on our colleagues," Mercy Compliance and Privacy Officer Kurt Harle said in the letter to patients.
Mercy is offering affected individuals one year of free identity-theft services, and its compliance team is reviewing privacy practices and re-educating all staff members.