25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients

Posted By on Feb 22, 2019

Kentucky Counseling Center (KCC) has discovered a list of 16,440 patients has been stolen and disclosed to another individual. A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC.

The former employee received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC.

KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018 by a then current employee of KCC. That person is no longer employed at the Counseling Center.

The motivations behind the HIPAA violations are unclear – Both the unauthorized access/theft and the subsequent impermissible disclosure to a former employee. KCC explained in its breach notification letter that there is no reason to believe that the list was taken with the intent of causing harm to patients.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

However, due to the nature of the data contained in the list the decision was taken to offer credit monitoring services to affected patients for 12 months without charge.

The types of information in the list varied from patient to patient and may have included the following data elements: Full name, address, date of birth, phone numbers, gender, marital status, employment status, insurance payor, insurance number, Social Security number, last and next appointment dates, and KCC clinician name.

The measures taken to prevent further incidents such as this from occurring in the future include strengthening passwords and implementing multi-factor authentication on its computer system.

The KCC breach notice does not mention whether the person responsible was fired or left KCC of his/her own accord nor whether the matter has been referred to law enforcement.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist