CPMC, an affiliate of Sutter Health, first discovered the breach after a proactive audit of its EMR system on Oct. 10, 2014. The initial audit resulted in identification and notification of 14 individuals on Oct. 21, 2014. Following its policy, CPMC fired the employee and broadened the investigation, which later identified a total of 844 patients, according to Sutter Health.
“It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients,” according to a release.
CPMC has determined that between October 2013 and October 2014, the employee accessed data on patient demographics, the last four digits of Social Security numbers, clinical information including diagnosis and clinical notes and prescription information. The employee did not have access to full Social Security numbers, driver’s license numbers, California identification numbers, credit card numbers or financial account information.
CPMC does not believe the employee acted out of malicious intent but “out of curiosity,” according to the release.