It took a Massachusetts hospital 14 years to detect a data breach. To make matters worse, even after all that time – it wasn’t the medical center itself that discovered the incident.

Tewksbury Hospital learned of the breach in the spring of 2017. It hasn’t found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals’ personal and medical information.

As the state-run institution explains in a statement:

“In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.”

What, no access controls? And why did the patient suspect someone had accessed their EMR inappropriately? Is this something that the hospital should have detected on its own, that, is, prior to receiving a complaint from the victim?

There aren’t any details that help answer those questions.

In terms of reputational impact from a security incident, very little is worse than first learning about a breach from an affected individual. Taking years to discover the event certainly magnifies the perception that the organization could have been more on the ball. But more than a decade? That’s a tough pill to swallow.

It turns out Tewksbury took 14 years to discover the event. Not surprisingly, this length of time limits the medical center’s ability to reach out to the some 1,100 patients whose personal and medical data the breach might have exposed. As it goes on to describe in its statement:

“Individuals who may be affected include people who were patients at Tewksbury Hospital from 2003 through May 2017. We have provided written notice to affected patients for whom the hospital has current contact information. We are also posting this substitute notice in a good faith attempt to notify affected individuals for whom we have insufficient or out-of-date contact information that precludes written notification, or to whom we are otherwise not able to provide written notice.”

To its credit, the hospital is taking this incident mighty seriously now. After firing the employee, Tewksbury is now reviewing is policies regarding employee access to electronic medical records. Hopefully, this will lead to the implementation of access controls in the near future.

In the meantime, those individuals who feel they might be affected should watch their credit reports carefully for suspicious activity. Should they spot any unauthorized transactions, they should request a new payment card from their card issuer. They should also consider placing a security freeze on their credit file.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.