Helsinki University Hospital (HUS) has recently issued a press release stating that one of its employees has been suspected of a serious breach of information security. The employee in question was responsible for managing customer invoices at HUS, and during the investigation, it was discovered that they had made unauthorized searches in both the national population register and HUS's patient record system.

The employee had accessed basic and family information from the population register, while in the patient record system, they had viewed personal information and, in some cases, details of visits to HUS. However, they did not have access to medical notes, test results, or other health-related information. The security breaches occurred between October 2019 and March 2023, during the employee's tenure.

According to Suvi Posio, HUS's administrative director, the unauthorized access affected not only patients and staff at HUS but also individuals who had no connection to the hospital, some of whom lived in Uusimaa, while others lived elsewhere in Finland. The investigation is still ongoing, but it has already been determined that hundreds of individuals' information was accessed inappropriately. Posio describes the event as "unusual and serious."

HUS has informed those affected by the security breach through a letter. All of the data-handling activities of the accused employee will be scrutinized for three and a half years, and it will be determined which activities were work-related and which were not. The review process is expected to take some time.

Posio confirms that the employee's access rights were necessary for their job, but they were misused. HUS is deeply sorry for the event and is "extremely disappointed" with the employee's actions. HUS has taken immediate action by disabling the employee's access rights, retrieving their tools, and terminating their employment. Additionally, HUS has reported the incident to the Data Protection Ombudsman's office.

In conclusion, the breach of information security at HUS is a reminder that data breaches can happen in any organization, regardless of its size or location. HUS's prompt response to the event and efforts to inform those affected are commendable. Organizations must prioritize data security and ensure that their employees understand the importance of handling data with care and responsibility.