The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Florida Hospital Group Notifies Patients of Employee Data Theft

Posted By on Jun 17, 2015

A hospital in central Florida has sent breach notification letters to 94 patients informing them that their Social Security numbers, dates of birth, annual income and full names have been inappropriately accessed by a former employee of the hospital.

The data breach was reported to Channel 9 News by a former patient of a Community Health Centers hospital facility who recently received a breach notification letter in the post informing her that her Protected Health Information (PHI) had potentially been stolen. She was told in the letter that she may be at risk of becoming a victim of identity theft and that her data may be used for fraudulent purposes.

Following the discovery of the breach the employee’s access to CHC’s patient database was terminated, as has her employment. In the letter, CHC advised patients that it will be “working on enhanced privacy monitoring systems” to reduce the risk of insider HIPAA breaches happening in the future, and to rapidly identify inappropriate access should it happen again.

It is not clear at this stage whether the employee accessed the medical records of patients out of curiosity, or if the records were viewed with the intention of using PHI for personal gain. Often data is accessed and copied to sell on the black market, or is stolen by employees to allow them to obtain medical services and prescriptions, file false tax returns, commit identity theft and obtain credit. Since there is a risk that the data has already been disclosed to another party, breach victims have been advised to exercise caution.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

CHC is offering a year of credit monitoring, credit protection and identity theft resolution services to all 94 patients whose records were inappropriately viewed by the unnamed employee.

The Spate of Employee HIPAA Violations Continues

Hospital employees have caused a number of HIPAA data breaches in recent months. In Florida, there have been two data breaches reported in the past three months involving employees inappropriately accessing, and copying protected health records. In March, two employees of the Florida Hospital are alleged to have stolen the Social Security numbers of 9,000 individuals, and in May Orlando Health discovered an employee had inappropriately accessed 70 patient records.

May saw employee data breaches discovered by a number of healthcare providers. An employee at a New York Hospital emailed 3,957 records to a personal account, while a University of Rochester Medical Center employee took the PHI of 3,403 individuals to a new employer.

The Medical Management data breach exposed 20,512 records and impacted up to 40 hospitals. That breach was caused by a former employee of a Business Associate who took data from the company and disclosed it to a third party.

However, one of the largest data breaches involving inappropriate accessing of records came to light in December last year. A former employee of the Early Learning Coalition of Palm Beach County was discovered to have inappropriately accessed up to 230,000 records.

HIPAA Breach Notification Rules on Data Breaches Involving Fewer Than 500 Individuals

Data breaches involving fewer than 500 individuals do not need to be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) until the March of the following year, although healthcare providers do have a responsibility to notify breach victims and to take steps to mitigate any damage caused.

Identity theft protection services should be offered if there is a reasonable risk of the PHI being used inappropriately. Credit monitoring services should be provided to patients for a period of 12 or 24 months.

Some states have introduced even stricter data breach laws. Healthcare organizations may have to adhere to even stricter data breach rules. There may be shorter timescales for issuing breach notices and some states demand damage mitigation services to be offered to breach victims and dictate the length of cover. State laws must be checked following a breach and adhered to if financial penalties from state Attorney General’s offices are to be avoided.

Tips for Preventing Employee Data Theft (and mitigating damage and loss)

 

It is not possible to stop employees from accessing medical records if they need to be provided with access to EHRs for work purposes. However, a number of steps can be taken to reduce the risk of insider HIPAA breaches occurring.

Regular Privacy Training is Essential

Training on HIPAA rules is essential and regular refresher training sessions remind staff about data security and privacy issues. The penalties for improper access of PHI must be stressed. Criminal charges can be filed for improper access of Protected Health Information and theft of PHI with intent to profit carries a stiff fine and up to 10 years in jail.

Implement a Confidential Reporting System

The workforce must be made aware of the importance of data privacy, and they should be asked to be vigilant and to report suspected HIPAA violations. Employees should be provided with a confidential means of reporting other members of staff if they suspect them of inappropriately accessing EHRs, paper files, or otherwise violating the privacy of patients.

Log and Audit PHI Access Regularly

One of the best protections and deterrents against improper data access and PHI theft is to install a system to monitor access to Protected Health Information. If the staff believes that there is a very real threat of being caught snooping or stealing PHI, there will be less temptation to take a peek. However, automated systems can monitor access, but it is up to the covered entity to make sure access logs are checked regularly.

Implement Safeguards to Avoid an OCR Penalty

It may not be possible to eliminate the risk of insider HIPAA breaches entirely, but it is certainly possible to reduce the risk to a minimal and acceptable level. Covered entities that can demonstrate they put the appropriate technical, physical and administrative controls in place to secure PHI, will avoid an OCR HIPAA fine if a breach does occur.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist