Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals
The Washington Department of Social and Health Services (DSHS) has identified an insider data breach involving unauthorized access to the protected health information of approximately 8,600 individuals.
Insider threats are a major problem in healthcare, more so than in other sectors. While most insider incidents are unintentional, and snooping on medical records is a common cause of healthcare data breaches. Patient records may also be obtained for financial gain. Regular workforce HIPAA training is important to remind employees of their responsibilities with respect to patient privacy, and employee access logs should be routinely monitored. Without active monitoring, these privacy violations can persist for long periods before unauthorized access is identified.
In this case, a DSHS employee was discovered to have accessed a DSHS internal client data system without authorization and viewed records containing full names, dates of birth, Social Security numbers, DSHS client numbers, and information about DSHS program enrollment.
The DSHS investigation found no evidence that health information was accessed, such as diagnoses, test results, treatments, claims, or chart notes. The DSHS said the employee was found to have accessed records for “reasons unrelated to their job duties,” but did not elaborate further on the individual’s reasons for access. It is also unclear when the unauthorized access was detected, or for how long the employee had been accessing records for non-work purposes.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
DSHS confirmed that action was immediately taken when the privacy violations were identified, preventing further unauthorized access. DSHS has confirmed that the individual is no longer working for the department. It is unclear whether the employee was terminated over the HIPAA violation or if they left voluntarily.
DSHS said it is issuing notification letters by mail to all affected individuals and encourages them to monitor their account statements and credit reports for unauthorized activity. DSHS is cooperating with state and local law enforcement in their ongoing investigation. DSHS said steps are being taken to implement additional safeguards, and internal policies and procedures related to data privacy and security are being reviewed.
