Central City Concern Announces Employee HIPAA Breach

Another case of employee theft of PHI has been reported, this time by Oregon-based Central City Concern (CCC) where a former employee viewed and copied data from at least 15 individuals registered in CCC’s Employment Access Center Program. This information included data covered under HIPAA in some if not all cases. The non-profit organization was advised of the theft on April 3, 2014.

However, according to a recent report made to the Department of Health and Human Services’ Office for Civil Rights, a recent breach involving unauthorized access/disclosure is listed as having occurred between March 23, 2010 and May 24, 2013, with that incident exposing 17,914 records. The breach was reported to the OCR on May 19, 2014.

It is not clear at this stage whether these two incidents are the same as there is no requirement for a breach report involving 15 individuals to be filed with the OCR for a period of 12 months. Since this is the only breach listed, it is reasonable to assume that this may be the same incident, with the initial estimate of victims being drastically underestimated.

Social Security Numbers, Health Information and PII Accessed

The information viewed and copied includes names, addresses, dates of birth and Social Security numbers, and in some cases health information could also have potentially been copied. CCC was notified of the breach by a federal law enforcement officer following an investigation into fraudulent tax returns. The individual in question has been accused of accessing 15 records with intent to file false tax returns.

After learning of the data theft, CCC conducted in internal investigation to determine the data that could have potentially been accessed and copied. The breach notice does not explain whether the individual was found with copies of the records or whether information had actually been disclosed or used to commit tax fraud.

Risk Managed and Individuals Alerted to PHI Access

As a precautionary measure, CCC is offering all affected individuals a year of credit monitoring services with Experian’s ProtectMyID Alert. In accordance with HIPAA Rules, CCC has implemented a number of measures to manage risk more effectively to ensure future breaches of this nature are prevented.

One of these measures involved contracting an external third party security expert to conduct a risk assessment to ensure that “all feasible and comprehensive safeguards to protect against future risk” had been implemented.

CCC provides direct access to housing, integrated healthcare services and runs employment programs in Oregon. The organization is covered under HIPAA Rules, and must notify patients and regulatory bodies of data breaches involving the Protected Health Information (PHI) of patients.

According to the breach notice, 15 individuals were contacted to advise them that their information had been viewed and that the information may have been used to by individuals to file false tax returns in their name. The breach notification letters were sent on April 28, 2014. It is not known whether notices have been sent to all individuals listed on the OCR website as being affected by a data breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.