Share this article on:
A former employee of the Thomasville Eye Center in Thomasville, GA has been discovered to have accessed the protected health information of patients without authorization. PHI was stolen from the eye center and used to open credit accounts in the names of the patients.
The eye center was alerted to the identity theft on August 8, 2016 and immediately launched an investigation to determine whether this was an isolated incident or if other patients had potentially been affected. The eye center discovered that the records of 10,891 patients had been accessed by the employee. The information contained in those records included names, addresses, birthdates, medical billing information, and Social Security numbers.
After confirming that PHI had been improperly accessed, the employee was terminated and law enforcement was notified. The eye center is continuing to work with law enforcement and is assisting in the criminal investigation of the employee’s activities. All affected patients have now been notified of the breach by mail and credit monitoring and identity theft protection services have been provided for a period of 12 months without charge.
If employees are provided with access to the protected health information of patients, there is a risk of PHI access rights being abused. While it is not possible to eradicate the risk of data theft by empoloyees, healthcare organizations can take a number of steps to reduce risk. These include:
- Conducting background checks prior to employment being offered
- Ensuring training is provided on privacy and the penalties for improper PHI access are explained to staff
- Restricting access to PHI to the minimum necessary information for work duties to be performed
- Restricting access to PHI to an individual worker’s patient case load
- Blocking the use of portable storage devices (USB ports)
- Ensuring PHI access logs are recorded and are frequently reviewed to ensure improper PHI access is identified promptly if and when it does occur
Thomasville Eye Center has now implemented a number of changes to policies and procedures to reduce the risk of employee data theft. The number of employees permitted to process credit applications and access patients’ financial information has now been reduced and Care Credit Card applications can no longer be taken over the telephone. Credit applications are now being monitored and audited and the eye center’s computer system now masks Social Security numbers. All staff members have also been retrained on privacy and security.