HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Child Welfare Agency Employee Emails 970 Records to Personal Email Address

Hillsides, a child welfare agency based in Pasadena, CA, has discovered that a former employee emailed highly confidential patient and employee data to a personal email address over the course of a year, in breach of Health Insurance Portability and Accountability Act Rules.

The HIPAA breach was discovered on December 8, 2015, and an investigation into the incident was immediately launched. That investigation revealed confidential data had been sent to the employee’s email account on five separate occasions. The first incidence occurred on October 10, 2014. No information has been released to indicate why the information was emailed. When data is taken or emailed to personal email accounts, the individuals responsible usually do so with a view to using the information when they change employer, to sell data to identity thieves, or to personally use the information to commit fraud or identity theft.

The latter would be possible in this case as the information contained in the files attached to the emails included patient names, addresses, dates of birth, genders, Social Security numbers, medical ID numbers, and the names of the patients’ therapists and rehabilitative therapists. The data of 502 patients of the welfare agency were contained in the lists.

It is not only patients that have been impacted by the HIPAA breach. Files containing the names, addresses, medical ID numbers, and Social Security numbers of 468 Hillside employees were also emailed to the employee’s account.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The employee’s work contract was terminated as a result of the privacy violation; however, Hillsides staff were unable to recover the data files that had been sent to the employee’s personal email account. Consequently, there is a chance that the data may not have been deleted and could be used inappropriately. Hillsides has not received any reports of the data being used inappropriately at this point in time.

At the present moment in time, criminal charges against the individual have not been filed. It would also appear that credit monitoring and identity theft protection services are not being offered to affected individuals, even though Social Security numbers and dates of birth were contained in the emailed files.

Instead, affected individuals have been encouraged to contact Equifax, Experian, and Transunion and obtain free credit reports. Individuals are permitted to obtain one free credit report from each of the three credit monitoring bureaus every 12 months without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.