Share this article on:
Hillsides, a child welfare agency based in Pasadena, CA, has discovered that a former employee emailed highly confidential patient and employee data to a personal email address over the course of a year, in breach of Health Insurance Portability and Accountability Act Rules.
The HIPAA breach was discovered on December 8, 2015, and an investigation into the incident was immediately launched. That investigation revealed confidential data had been sent to the employee’s email account on five separate occasions. The first incidence occurred on October 10, 2014. No information has been released to indicate why the information was emailed. When data is taken or emailed to personal email accounts, the individuals responsible usually do so with a view to using the information when they change employer, to sell data to identity thieves, or to personally use the information to commit fraud or identity theft.
The latter would be possible in this case as the information contained in the files attached to the emails included patient names, addresses, dates of birth, genders, Social Security numbers, medical ID numbers, and the names of the patients’ therapists and rehabilitative therapists. The data of 502 patients of the welfare agency were contained in the lists.
It is not only patients that have been impacted by the HIPAA breach. Files containing the names, addresses, medical ID numbers, and Social Security numbers of 468 Hillside employees were also emailed to the employee’s account.
The employee’s work contract was terminated as a result of the privacy violation; however, Hillsides staff were unable to recover the data files that had been sent to the employee’s personal email account. Consequently, there is a chance that the data may not have been deleted and could be used inappropriately. Hillsides has not received any reports of the data being used inappropriately at this point in time.
At the present moment in time, criminal charges against the individual have not been filed. It would also appear that credit monitoring and identity theft protection services are not being offered to affected individuals, even though Social Security numbers and dates of birth were contained in the emailed files.
Instead, affected individuals have been encouraged to contact Equifax, Experian, and Transunion and obtain free credit reports. Individuals are permitted to obtain one free credit report from each of the three credit monitoring bureaus every 12 months without charge.