Self Regional Healthcare Announces HIPAA Data Breach
Self Regional Healthcare (SRH), a healthcare provider based in South Carolina, has announced that a laptop computer was stolen from one of its facilities on May 25, 2014. That laptop contained unencrypted Protected Health Information of nearly 40,000 of its patients. The data included highly sensitive information which could potentially be used by criminals to commit identity fraud, insurance fraud, credit card fraud and enable them to make false Medicaid/Medicare claims. Social Security numbers; drivers license numbers; financial account numbers; physician names; payment card information; insurance policy details; diagnosis and procedure information and patient names – possibly addresses – were stored on the laptop. SRH learned of the break-in and theft on May 27, 2014. Law enforcement officers were alerted and were able to apprehend two individuals believed to have illegally entered the property. One person admitted to stealing the laptop, but according to the report “he destroyed it and disposed of it in a lake,” after an attack of remorse. He also claimed not to...
PRN Medical Services Notifies 2,200 of HIPAA Data Theft
According to a breach report issued to the Department of Health and Human Services’ Office for Civil Rights, PRN Medical Services, LLC – under the name Symbius Medical LLC – has suffered a HIPAA breach after five members of staff were identified as having accessed and stolen confidential and private records. The information is believed to have been accessed, copied, and disclosed to a third party; a competitor of PRN Medical Services where the employees went to work. According to a statement issued by Symbius Medical, as reported by PHIPrivacy, the information is believed to have been stolen “in the weeks leading up to their resignations.” The staff in question were former sales representatives and Symbius believes that the information was intended to be used, and may still be, to contact patients to attempt to sell them medical supplies. The data is not believed to have been taken for the purposes of committing medical or financial fraud, and is instead a case of sales representatives taking contacts with them when they change employer. That said, this is theft of PHI and the...
Unencrypted Hospital Communications are HIPAA Violations
Text messages may be a quick and convenient method of communication for doctors and healthcare professionals; however two medical professionals from North Carolina have recently discovered that the use of unsecured text messages to transmit medical data is a HIPAA violation. For the professionals concerned, the action was innocent and believed to be in the best interest of the patient. A doctor was visiting a patient at a nursing home and requested that a nurse send the patient’s laboratory results via text message. The message was sent and only two people viewed the patient data, both of whom were authorized to access the records. However by sending the data over an unencrypted and insecure connection, the records could potentially have exposed to a third party. Text messages can be used in healthcare, but in order to be HIPAA compliant data has been encrypted. The nursing facility was given an e-class deficiency by The Centers for Medicare & Medicaid Services (CMS) which resulted in a 10-point Directed Plan of Correction (DPOC) which must be implemented within 15 days. The...
Johns Hopkins Health System Settles $190M Lawsuit Over Potential HIPAA Privacy Violations
The Baltimore-based Johns Hopkins Health System has agreed to settle a $190 million civil action lawsuit arising from HIPAA violations caused by one of its physicians. The settlement was the result of a HIPAA Privacy Rule violation caused by an obstetrician and gynecologist who had used a hidden camera to take photographs and videos of his patients while conducting examinations. The physician used a pen-like device to take 140 illicit pictures and approximately 1,200 videos of his patients, according to the findings of an investigation into professional misconduct. Dr. Nikita Levy, M.D., had worked for the hospital for more than two decades, but in early 2013 another hospital employee alerted management about a device that Levy was seen wearing around his neck during patient examinations. While the device had the appearance of a pen, the member of staff believed that it was in fact a camera. The matter was taken up by the hospital’s Information Security Department and Levy was interviewed in his office by security staff. They noticed a number of devices which they believed to be...
Federal Prosecutors Pursue Criminal Charges Against Hospital Worker for HIPAA Violations
Under the Health Insurance Portability and Accountability Act of 1996, individuals and covered entities can face criminal charges for violations of HIPAA Privacy and Security Rules, and federal prosecutors have now taken this somewhat uncommon step following a case of wrongful disclosure of PHI. Texan prosecutors filed an indictment in the Tyler District Court against Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas. The case was filed earlier this year but it was sealed until July 3. Hippler faces one count of violations of HIPAA Rules after he stole medical records from the hospital where he worked. According to a statement provided to Security Media Group, a spokesperson for the Department of Justice said “We cannot comment on how many patient records, his job, employer or the nature of the violation in detail as this is an ongoing investigation,” she says. “The violation came to light when Hippler was arrested in Georgia and found to be in possession of patient records. Although criminal HIPAA charges are uncommon, our decision to...



