Another Employee is Fired for Emailing PHI to a Personal Account
Today, a breach notice has appeared – dated August 18 – on the Department of Health and Human Services’ Office for Civil Rights breach portal from Village of Oak Park Health Plan in Illinois. The breach involved the unauthorized accessing and disclosure of the personal information of 688 individuals.
The breach in question dates back to January. On January 22, 2016, officials at Village of Oak Park discovered an employee had emailed spreadsheets containing the PHI of 688 individuals to a personal email account.
The breach was discovered during a search of employees’ emails which was initiated after some employees claimed that their premiums had not been paid to their insurers. While searching for email correspondence between insurers and employees, the email containing the spreadsheets was discovered.
The spreadsheets contained personal information of current and former employees of Village of Oak Park, Oak Park Library, Oak Park Township, the Park District of Oak Park, and the West Suburban Consolidated Dispatch Center. The spreadsheets included names, dates of birth, details of healthcare benefits, and Social Security numbers.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
A full internal investigation was launched and Village of Oak Park found no evidence that the data had been used in any way that would cause harm to employees. A criminal investigation was also launched, although similarly no evidence of fraudulent use of the data was discovered.
However, there was no legitimate work reason for emailing the data to a personal email account. This was a breach of internal policies and the employee in question was fired. Individuals affected by the breach were notified of the unauthorized access and disclosure approximately one month after the incident was discovered. Individuals impacted by the breach were advised to closely monitor their accounts for any sign of fraudulent activity, even though there was no suggestion that the information was emailed with the intent of committing fraud.
In accordance with HIPAA Rules, a press release was issued, and affected individuals were notified; however, it would appear that OCR was not notified until recently.