Employee Snooping Results in Exposure of 200K HIPAA Covered Records
The Early Learning Coalition of Palm Beach County has announced that a former employee has inappropriately accessed a database containing the medical records of up to 230,000 patients. The database contained personal information of parents and children who have attended centers or received services from the coalition. The affected individuals are believed to be those having received school readiness services or participated in the Voluntary Prekindergarten Education Program according to a statement made by the ELC.
The unauthorized access occurred at the Belle Glade office of Family Central Inc. and has been confirmed as having affected 37 patients, although the matter is still under investigation and the final number of victims is not yet known. Data potentially accessed included personal information such as names and contact details, and almost half of the records in the database contained Social Security numbers.
The former employee, who was not named in the statement, “accessed the database in an unauthorized manner in order to obtain the personal information, including social security numbers, of individuals contained in the database,” according to the ELC. The statement confirmed that the individual was no longer employed at the facility.
The breach is believed to be small and the individuals confirmed as having been affected have been notified by email, although all persons who have previously received services from the ELC have been advised to closely monitor their credit as a precaution and to enroll for free credit alerts with one of the three major credit agencies.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
An internal investigation is still underway and law enforcement officers have been advised about the inappropriate data access. In response to the security breach the ELC reported that it has changed its policies to improve data security and is restricting access to patient data. Security training will be provided to staff to ensure they are aware of the company policies and their responsibilities under HIPAA.
It may be difficult to determine the exact number of records that were accessed if an adequate monitoring system was not in place to log access to the data, with the OCR may consider a HIPAA violation. Under HIPAA regulations, an organization required to store or use Protected Health Information must ensure the appropriate physical, administrative and technical safeguards are put in place to secure health data. Even in cases where only a small number of records have been exposed, fines can be issued for placing the entire database at risk and can result in substantial financial penalties being applied.
