Federal office probes GMH network breach | Guam News | postguam.com
Federal office probes GMH network breach
Jolene Toves | The Guam Daily PostApr 23, 2023
Federal office probes GMH network breach
GMH: The entrance to Guam Memorial Hospital in Tamuning is shown March 7, 2023. An office within the U.S. Department of Health and Human Services is looking into potential harm caused to patients from a recent breach of GMH's electronic systems, according to an official with the office. David Castro/The Guam Daily Post
Facebook
Twitter
Email
Print
Copy article link
Save
The “unauthorized access” that prompted the Guam Memorial Hospital to shut down its network in March is now being investigated by the U.S. Department of Health and Human Services, according to an acceptance letter addressed to a whistleblower who is only identified as “Leaky Leaks.”
The acceptance letter, dated April 18, notified the whistleblower that the HHS Office for Civil Rights for the Pacific region was in receipt of the complaint.
According to the letter, the complaint alleged that GMH “violated the federal Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for Protection of Electronic Protected Health information” during the course of its response to the electronic breach.
The Guam Daily Post asked GMH’s legal counsel Jeremiah Luther if he could confirm that an investigation by the federal health department’s OCR had been launched, if they were in communication with the investigating entity and what information was being sought.
Luther, however, told the Post he did not have authorization to speak and forwarded the query to hospital spokesperson Cindy Hanson.
While GMH remained silent on the matter, the HSS letter identified specific sections of the federal standards – 45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules – which may have been violated.
“The (Health Insurance Portability and Accountability Act of 1996) Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,” the HSS website states.
According to the complainant, the OCR, which enforces federal civil rights law, is seeking a list of patients potentially harmed by the network shutdown and is specifically investigating:
• The list of patients who should have received medication, but received the wrong prescription or no prescription medications because GMH's computer system was down in March 2023.
• The list of patients who should have had blood transfusions, surgical procedures, and other services, but did not because the GMH computer system was down.
• List of all other patients harmed by the GMH computer outage in March 2023.
Employee concerns
At the time the network was taken offline, a recording of a meeting that included GMH administration, staff and nurses revealed concern by some nurses that the network shutdown “put patients' lives at risk.”
Among the risks noted by nurses and acknowledged by GMH’s legal counsel included issues with filling prescription medication and blood transfusions not being carried out for scheduled patients because the network was shut down.
GMH reported on March 13 that the “unauthorized access” was discovered on March 2. At the time the hospital maintained that no patient information had been compromised and insisted the network was offline as a precautionary measure.
In the same press release, GMH thanked its medical staff for “painting an excellent level of care” for patients through the challenge.
As of press time Saturday, questions posed to Hanson regarding the investigation into the alleged violations remained unanswered.
Jolene Toves | The Guam Daily PostApr 23, 2023
Federal office probes GMH network breach
GMH: The entrance to Guam Memorial Hospital in Tamuning is shown March 7, 2023. An office within the U.S. Department of Health and Human Services is looking into potential harm caused to patients from a recent breach of GMH's electronic systems, according to an official with the office. David Castro/The Guam Daily Post
Copy article link
Save
The “unauthorized access” that prompted the Guam Memorial Hospital to shut down its network in March is now being investigated by the U.S. Department of Health and Human Services, according to an acceptance letter addressed to a whistleblower who is only identified as “Leaky Leaks.”
The acceptance letter, dated April 18, notified the whistleblower that the HHS Office for Civil Rights for the Pacific region was in receipt of the complaint.
According to the letter, the complaint alleged that GMH “violated the federal Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for Protection of Electronic Protected Health information” during the course of its response to the electronic breach.
The Guam Daily Post asked GMH’s legal counsel Jeremiah Luther if he could confirm that an investigation by the federal health department’s OCR had been launched, if they were in communication with the investigating entity and what information was being sought.
Luther, however, told the Post he did not have authorization to speak and forwarded the query to hospital spokesperson Cindy Hanson.
While GMH remained silent on the matter, the HSS letter identified specific sections of the federal standards – 45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules – which may have been violated.
“The (Health Insurance Portability and Accountability Act of 1996) Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,” the HSS website states.
According to the complainant, the OCR, which enforces federal civil rights law, is seeking a list of patients potentially harmed by the network shutdown and is specifically investigating:
• The list of patients who should have received medication, but received the wrong prescription or no prescription medications because GMH's computer system was down in March 2023.
• The list of patients who should have had blood transfusions, surgical procedures, and other services, but did not because the GMH computer system was down.
• List of all other patients harmed by the GMH computer outage in March 2023.
Employee concerns
At the time the network was taken offline, a recording of a meeting that included GMH administration, staff and nurses revealed concern by some nurses that the network shutdown “put patients' lives at risk.”
Among the risks noted by nurses and acknowledged by GMH’s legal counsel included issues with filling prescription medication and blood transfusions not being carried out for scheduled patients because the network was shut down.
GMH reported on March 13 that the “unauthorized access” was discovered on March 2. At the time the hospital maintained that no patient information had been compromised and insisted the network was offline as a precautionary measure.
In the same press release, GMH thanked its medical staff for “painting an excellent level of care” for patients through the challenge.
As of press time Saturday, questions posed to Hanson regarding the investigation into the alleged violations remained unanswered.
