Return to story
BY JIM HALL
A security breach in an online computer system at Mary Washington Hospital exposed the private medical information of some of its maternity patients.
A man who tried to use the Fredericksburg hospital's online registration system for his expectant wife said the files for 803 patients were publicly available on the site.
On Friday, a hospital official described the breach as an "anomaly."
She said the man was the only person to see the files, that he opened only two of them and that he did not print or download any data.
"We believe that this is a one-time incident," said Kathleen Allenbaugh, hospital spokeswoman.
Hospital officials first learned of the breach when a Spotsylvania County sheriff's deputy notified them that the online registration feature at the MediCorp.org Web site was not working correctly.
Rebecca and Gary Dennison, a Spotsylvania couple, had contacted police after learning that their private medical information was visible on the site.
Rebecca Dennison is expecting the couple's first child in November, and had preregistered online for her delivery.
Dennison said last week that a stranger who gave his name as "Mike" called her house the night of Saturday, Oct. 11, to tell her that he was looking at private information about her and her husband on the MediCorp site.
The man knew the couple's Social Security numbers, phone numbers, address, insurance carrier, her birth date and her doctor's name.
She was concerned, she said, because her husband was in Delaware on business at the time.
"I was in shock," she said. "I didn't know what to do. It was 11 o'clock at night."
Dennison called her husband, who contacted the Sheriff's Office after talking with Mike. A Spotsylvania deputy called Mike and then called the hospital.
Reached by phone last week, Mike said he was reluctant to talk about the incident, and agreed to do so only if his last name was not be used.
"I didn't want to cause any trouble for anybody," he said.
He said he went to the MediCorp site to register his wife for her delivery. She, too, is pregnant with the couple's first child and expects to deliver in November.
Mike said he had trouble with the site, and at one point got a "certificate is revoked" error message.
He said he went to the address bar to delete the end of the long Web address, thinking that might help. Instead, he ended up at a series of internal pages that contained private information for 803 people, apparently everyone who had registered online for a delivery since Dec. 27, 2007.
The most recent registration was one that had been done earlier that day.
"It took me a while to sink in what I was looking at," Mike said.
Eventually he concluded, "Oh, this is not good."
He said he picked several people at random and called to warn them. Only Dennison answered her phone.
Mike said that when the Spotsylvania deputy called him, he again explained what had happened.
The deputy concluded that "it wasn't a criminal matter," said First Sgt. Liz Scott of the Sheriff's Office.
"Certainly it was a serious glitch in their system," Scott added.
The federal Health Insurance Portability and Accountability Act requires health providers to safeguard electronic patient data. Technical safeguards such as encryption and password protection are often used.
On Friday, a spokesman for the U.S. Department of Health and Human Services declined to comment specifically on the MediCorp breach.
In general, a hospital "may not disclose protected health information to the public without patient authorization," the spokesman added.
Allenbaugh said the hospital has contacted one of the people whose files Mike opened and is attempting to notify the other. The online registration form has been taken down.
Dennison said she and her husband have placed a "fraud alert" on their credit report in case someone uses their personal information.
She said she still plans to deliver her baby at Mary Washington.
"I'm not going to do anything online with them anymore," she added.
Staff librarian Craig Schulin
Jim Hall: 540/374-5433