Share this article on:
An employee of the Bon Secours St. Francis Health System has had her employment contract terminated after the healthcare provider became aware of privacy violations and numerous cases of medical fraud. The employee in question is alleged to have accessed the private and confidential records of fellow employees, and potentially patients, over a period of 20 months. The data accessed appears to have been used to file claims against co-workers’ insurance policies for expensive prescription creams.
The privacy violations came to light in July, 2015, when employees of St. Francis Health started noticing their insurance company had billed them for “high dollar value” prescription creams, and the matter was brought to the attention of managers at St. Francis Health.
When fraudulent claims are made to insurance companies, it can be difficult to determine the person responsible. With the volume of data breaches now occurring, it is possible that insurance data and other information could have potentially be obtained from any number of sources. In this case, since a number of employees from the same hospital had been affected, the data breach appeared to come from within.
St. Francis Health responded to the complaints by initiating an internal investigation to determine whether the insurance claims were made by a malicious insider. The investigation revealed that an employee had inappropriately accessed the records of employees and patients. According to the Greenville News, the internal investigation revealed that the records of 30 employees had been accessed, and potentially as many as 1,997 patient records.
They type of information accessed was consistent with the insurance claims made. St. Francis Health also determined that there was no valid reason for the data to have been accessed. This was sufficient evidence to suggest the employee in question had accessed the data with malicious intent, and also potentially used the information obtained to make fraudulent claims.
The accessing of data without authorization is, of course, in breach of the healthcare provider’s policies, and also a violation of the Health Insurance Portability and Accountability Act. The inappropriate access resulted in the termination of her employment contract. The discovery of insurance fraud also warranted the matter being reported to South Carolina law enforcement. While it is clear that the unnamed healthcare worker’s work colleagues have been affected, at this stage it is not clear whether patient data have been used to make fraudulent insurance claims, or have otherwise been used inappropriately. A police investigation into the alleged data theft and fraud is ongoing.
The data that were accessed included highly sensitive information that could potentially be used to steal identities and commit further fraud. These included names, dates of birth, insurance information, driver’s license numbers, clinical data (including diagnosis information) and potentially Social Security numbers.
In an effort to mitigate the risk of patients suffering losses as a result of the privacy violation, all concerned have been offered credit monitoring services and have been advised to keep a close check on their Explanation of Benefits statements and credit reports. St. Francis Health pointed out in its breach notice that the incident appears to concern only one rogue employee, but following a risk assessment it was deemed necessary to provide further training to staff members to ensure that employees are aware that “inappropriate use, access or disclosure of patients’ information will result in serious consequences up to and including termination and, where applicable, the involvement of law enforcement.” The employee in question had received training on hospital policies covering the accessing of confidential information, and appears to have abused her access rights.