Share this article on:
An investigation conducted by Children’s Medical Clinics of East Texas has revealed a former employee took copies of children’s medical records and disclosed them to a third party. According to the breach report posted on the healthcare provider’s website, the privacy breach was caused by an individual with “a retaliatory agenda against the clinic.”
A Children’s Medical Clinics of East Texas employee was discovered to have removed business documents and taken them home, and failed to return them when requested to do so. It is not clear from the breach report when the incident occurred, but the decision was taken to report the matter to the police on August 10, 2015.
Following this incident an internal investigation was conducted which revealed the employee had also accessed patient medical records without authorization, and had taken a copy of the data and gave it to another “disgruntled ex-employee,” although the identity of that individual was not disclosed to the healthcare provider.
The data that were copied, by taking a screenshot, included patient names, diagnosis information, treatment details and dates of birth. Although not explicitly stated in the breach notice, it would appear that financial information and Social Security numbers were not copied or shared.
It is unlikely that 16,000 patients were directly affected, but Children’s Medical Clinics of East Texas could not determine which records were actually viewed and copied. In situations such as this, all patients potentially affected must be notified that their privacy may have been violated.
The employee in question had been authorized to access medical records of patients as this was a requirement of her job. She had received training on Health Insurance Portability and Accountability Act (HIPAA) Rules covering privacy and security, so therefore committed the act knowing that she was violating federal regulations.
In this case, it would appear that the violation was committed to cause damage to the healthcare provider, and not to cause any patients to come to harm, financially or otherwise. While HIPAA Rules were violated, there is not understood to be a risk of patients suffering fraud or identity theft as a result of the privacy violation.
That said, patients are being advised to exercise caution and have been informed that they should obtain credit reports and monitor all accounts closely for any sign of fraudulent activity.
Children’s Medical Clinics of East Texas will be monitoring the situation and has asked patients to call a helpline or send an email if they suspect they have suffered Identity theft as a result of the privacy breach, or if they receive a call or are otherwise contacted by a third party other than a member of the clinic in relation to the incident.
Credit monitoring services are not being provided to patients at this point in time as the risk of harm is perceived to be low. Patients have been advised that these services may be offered under certain circumstances.
The security breach has been reported to the Department of Health and Human Services, with the OCR breach portal indicating the report was received on October 28, 2015. Parents of the affected patients were sent a breach notification letter on October 8, 2015., alerting them to the privacy breach.
Additional protections will be put in place to reduce the risk of similar incidents occurring in the future, including new physical security systems. Further HIPAA training will also be provided to employees required to come into contact with PHI.
Further information can be found on the following link: http://www.childrensmedicalclinics.net/files/hipaa-breach-notice-letter.pdf
Providing Employees with Access to PHI Carries a Risk of Data Exposure
Healthcare providers allow some employees access to PHI in order for medical services to be provided to patients. Access must also be provided to staff members to allow critical business processes to be conducted. It is not possible to provide access without introducing a risk of data being stolen by employees, although that risk can be managed.
HIPAA demands that when access to PHI is required by employees or Business Associates, that technical, physical, and administrative controls be put in place to reduce the risk of accidental or deliberate exposure of PHI. Access to patient data must also be limited to the minimum necessary information for a job to be performed.
Unfortunately, as this incident demonstrates, it is not always possible to prevent an employee from copying data and disclosing it to others. However, it is important that systems are put in place to ensure all cases of potential data theft or unauthorized access are identified promptly.