The Hospital Authority of Valdosta and Lowndes County Georgia lately announced a data breach where an old employee of South Georgia Medical Center copied patient information without authorization.
On November 12, 2021, the hospital’s security software program created a notice showing that an employee copied information from the hospital’s systems to a USB drive. As per the investigation, it was confirmed that the downloaded information contained patients’ names, birth dates, and test data. The breach report was recently submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that the incident affected the protected health information (PHI) of 41,692 persons.
The employee had been given access to patient information so as to accomplish work responsibilities, however, no permission was granted to copy patient information and take it away from the hospital. The worker quit work at the healthcare facility on November 11, 2021.
South Georgia Medical Center stated no information was deleted from its computer systems and the stolen files had been retrieved. The report of this data theft incident has been forwarded to law enforcement, therefore the Lowndes County Sheriff’s Office conducted an investigation of the breach and the retrieved files.
The CEO of South Georgia Medical Center, Ronald Dean, stated that it is believed that no copied data was misused in whatever way, and no financial information nor Social Security numbers were taken from the hospital’s system. Nevertheless, those who had their PHI removed from the hospital had been provided with membership to a credit monitoring and identity theft restoration service for free.
According to the sheriff’s office, as published in the Valdosta Daily Times, a 43-year-old ex-employee of South Georgia Medical Center was accused of felony computer invasion of privacy and felony computer theft in connection with the incident. The reason why she copied the information is not clear.
South Georgia Medical Center stated modifications had been applied after the incident to strengthen security, which includes restricting the usage of USB drives and giving additional training to the employees.