An employee of UMass Memorial Medical Center (UMMMC) may have accessed and misused information on up to four patients, but officials with the Worcester facilities said they're not aware of any misuse of medical data.
In a statement released Monday afternoon, UMass Memorial officials said the now-former employee may have accessed names, addresses, dates of birth and Social Security numbers outside of the employee's normal duties between 2002 and March 2014. The potential data breach was discovered March 6, according to the statement.
"The information may have been used to open commercial accounts, such as credit card and cell phone accounts," the statement read. "Upon discovering this incident, (the medical center) immediately began an internal investigation. UMMMC continues to conduct its investigation and cooperate with law enforcement."
The statement said the employee no longer works at the medical center.
The statement said UMass Memorial officials, "out of an abundance of caution," are contacting approximately 2,400 additional patients whose information was accessed by the employee, although officials said there is no indication the information was misused. UMass Memorial began sending notification letters Monday to potentially affected patients.
The statement said UMMMC took two months to contact patients because of the length of time it took to determine the information the ex-employee had access to during the ex-employee's tenure.
For patients who were seen between May 6, 2002 and March 4, 2014 and who are aware of the misuse of their information in opening commercial accounts, UMass Memorial is requesting them to contact its Incident Response Line at 877-218-3036 Monday through Friday from 9 a.m. to 7 p.m. (except holidays), and provide this 10-digit reference number — 4476042814 — when prompted. The statement said UMass Memorial will investigate such reports to determine whether any misuse of data is related to this matter.
UMMMC is offering a year of free credit monitoring services to affected patients.
"UMMMC has had a privacy and information security program in place for several years, and UMMMC wants to assure UMMMC patients that UMMMC is committed to the security of patient information and taking this matter very seriously," the statement concluded. "To help prevent this type of situation from happening again, UMMMC is further strengthening its program, including identifying additional measures and enhancements to existing safeguards to protect patient information."
(Image credit: freedigitalphotos.net)