HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Five New Cases of Healthcare Employee Data Theft Reported

Healthcare employee data theft is a common occurrence, yet it is difficult to prevent determined employees from stealing healthcare data. A number of safeguards can be put in place to reduce the opportunity for data theft, and controls can be implemented to ensure that instances of theft are rapidly identified, but it is impossible to eliminate the risk of healthcare employees stealing patient data.

In the past few days, five new HIPAA violation cases of healthcare employee data theft have come to light, having been discovered in Texas, New York, Washington, and Colorado.

Husband and Wife Team Steal PHI from Manhattan’s Lenox Hill Hospital

Over 80 patients who visited the emergency room of Manhattan’s Lenox Hill Hospital have had their identities stolen and have potentially been defrauded, after a former employee of the hospital stole their Protected Health Information.

Kyle Steed, 30, was employed at Lenox Hill hospital, taking up a position in 2011. Between January 2014 and February 2015 he allegedly stole patient data which was used by his wife to defraud patients. Krystle Steed, 30, was passed the data and used the information to take control of the patients’ bank accounts and obtain credit. She managed to convince banks and credit card companies to release funds to allow her to make purchases in some of New York’s most exclusive retail outlets.

Please see the HIPAA Journal Privacy Policy

Patients’ credit card accounts were used to obtain hundreds of thousands of dollars’ worth of luxury goods. In total, more than $300,000 of goods were obtained by various methods of deception. She also allegedly attempted to obtain more than $1,000,000 in goods from Saks Fifth Avenue before she was apprehended. Upon discovery of the crimes, Kyle Steed was suspended from the hospital and subsequently had his employment contract terminated.

The pair were charged on Wednesday this week with numerous felonies including identity theft, attempted grand larceny, grand larceny, and criminal possession of stolen properly. All affected patients are in the process of being notified of the data theft and crimes committed against them.

Woodland Heights Medical Center Employee Stole 450 Patient Records

A Texas ranger recently discovered that a former employee of Woodland Heights Medical Center in Lufkin, TX, had been stealing patient medical records while employed at the hospital. A search of the employee’s home revealed approximately 450 “face sheets” had been taken from the hospital.

The face sheets contain a summary of patient health information that include the patient’s name, contact telephone number, address, date of birth, employer, employer’s address, emergency contact phone numbers, guarantor’s name, account number, medical record number, health insurance details, and Social Security numbers. The dates recorded on the face sheets were between 2013 and 2015.

The face sheets have all the information necessary to commit identity theft, medical fraud, tax fraud, and health insurance fraud, and consequently patients face a high risk of coming to financial harm as a result of the theft.

It is not clear at this point when the data were taken, and if they have actually been used inappropriately. The presence of the information in the former employee’s home strongly suggests the information was taken with malicious intent, although the individual in question has not been arrested at this point in time.

An investigation into the security breach is currently underway, with both the hospital and law enforcement looking into the data theft. All patients affected by the data breach were sent breach notification letters on December 1, and have been offered credit monitoring and protection services for a period of one year without charge.

Inappropriate Accessing of Patient Medical Files Discovered by Colorado Hospital

Earlier this week, it was announced that an employee of a UCHealth medical facility in Northern Colorado was also found to have been viewing the medical records of patients without authorization. That security breach affected 927 patients, although the accessing of the files was believed to have been out of curiosity, not with the intention of committing fraud.

Two Cases of Healthcare Employee Data Theft Uncovered by PeaceHealth

Two cases of PHI theft by employees have been discovered in Washington Medical facilities run by PeaceHealth. The first occurred in August, 2015 and affected patients of the PeaceHealth Southwest Medical Center, WA. The second occurred in October and affected patients of the PeaceHealth St. John Medical Center, WA. According to a breach notice placed on the healthcare provider’s website, the first breach affected 346 patients and the second affected 595 patients.

The first data breach involved an employee emailing data to a personal account from the hospital, while the second was caused when an employee accessed the healthcare provider’s system via third party websites after leaving employment.

According to the OCR breach reporting portal a PeaceHealth data breach was been added yesterday that indicates 1,407 patients have been impacted. It would appear that the second data breach is more serious than initially thought.

These five incidents of healthcare employee data theft highlight the importance of conducting regular audits of access logs to determine whether healthcare employees are inappropriately accessing patient medical files and the extent to which medical records are being inappropriately accessed by healthcare workers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.