HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

California Department of State Hospitals Discovers Unauthorized Data Copying by IT Employee

The Department of State Hospitals (DSH) in California has discovered an employee accessed the protected health information (PHI) of 1,415 current/former patients and 617 employees without authorization.

The individual had an Information Technology role and had access to data servers containing sensitive patient and employee information in order to complete work duties. The improper access was discovered by DSH on February 25, 2021 during a routine annual review of access to data folders.

An investigation was immediately launched which revealed the employee had been accessing data without authorization for around 10 months. Files containing names, COVID-19 test results, and other health information necessary for tracking COVID-19 were copied directly from the server. The investigation into the privacy breach is ongoing and the employee has been placed on administrative leave pending completion of the investigation. So far, the investigation has not uncovered any evidence to suggest the copied data has been misused or disclosed to any other individual.

DSH explained that safeguards were in place to identify unauthorized PHI access, but since the actions of the employee were identical to legitimate access, the unauthorized access was not identified when it happened and was only discovered during the annual review.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

“It appears that the employee used the access they were provided in order to perform their normal job duties to go directly into the server, copy files containing patient, former patient, and employee names, COVID-19 test results, and related health information without any apparent connection to their job duties, indicating a high probability of unauthorized access,” explained DSH in its data breach FAQs. It is currently unclear whether this was an intentional breach.

Steps have since been taken to prevent similar incidents in the future, including changing policies and procedures, limiting access to servers containing PHI, and improving logging and reviews of data activity. Automated detection of files containing PHI being copied to non-standard locations has also been improved.

Mendelson Kornblum Orthopedic and Spine Specialists Discovers Vulnerable Server Containing 28,658 Patients’ PHI

Mendelson Kornblum Orthopedic and Spine Specialists in Michigan has recently announced that the protected health information of 28,658 patients has been exposed and may have been accessed by unauthorized individuals.

On January 5, 2021, the practice discovered one of its servers was “vulnerable to viewing by unauthorized third parties.” The server contained information such as patient names, medical record numbers, dates of birth, sex of patients, and information relating to medical images, such as the date/time the image was taken, image number, and the name of the body part that was imaged.

No medical images were accessible, nor highly sensitive information such as Social Security numbers, health insurance information, diagnosis/treatment information, or financial information.

While the server was vulnerable to third party access, the investigation did not uncover evidence of any misuse of patient data and it is not known for how long the server was vulnerable. Steps have since been taken to prevent similar incidents in the future.

Eyemart Express Alerts Patients to Email Account Breach

Farmers Branch, TX-based Eyemart Express has discovered an unauthorized individual has accessed the email accounts of certain employees and potentially viewed or obtained patients’ protected health information. The breach was discovered on December 11, 2020 and steps were immediately taken to prevent further unauthorized access.

The investigation confirmed the breach started on August 21, 2020 and was limited to email accounts. No internal systems were affected. A comprehensive review of the affected email accounts revealed they contained information such as names, e-mail addresses, and the subject lines of email communications between Eyemart Express and the affected customers. Only a small percentage of its patients have been affected and they have now been notified.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.