Consolidated Tribal Health Project Learns of Employee HIPAA Breach

The Consolidated Tribal Health Project, Inc. (CTHP) has discovered that a former employee accessed Protected Health Information (PHI) and Personally Identifiable Information (PII) information stored on its computer network that the individual had no legitimate reason for viewing.

In accordance with the HIPAA Breach Notification Rule, a breach notice has been issued to the media and CTHP said it started mailing notification letters to affected individuals on May, 12. No mention was made of when CTHP learned of the data breach or for how long it had continued before it was detected.

The press release did confirm that an investigation is underway to determine the nature and scope of the incident, and law enforcement officers have been notified and are conducting a criminal investigation. CTHP enlisted the help of external computer forensics experts to analyze login and access attempts and to ascertain exactly what data was exposed and how many individuals were affected.

Social Security Numbers and Financial Information of Patients and Employees Compromised

The total number of victims – 4885 – was reported to the Office for Civil Rights on April 28. CTHP announced that both employees and patients have had data compromised in the incident. Employees’ data included their names, addresses, contact telephone numbers, dates of birth, Social Security numbers, driver’s license numbers and financial information.

Patients’ medical information, insurance details, Social Security numbers, financial information and names, addresses and dates of birth were all potentially viewed. CTHP said it will be informing the OCR of the data breach in due course – when numbers must be disclosed – indicating that this breach has affected more than 500 individuals.

Due to the extent of the data that has potentially been viewed and the risk that this information was accessed with the purpose of using it to commit fraud, it is essential that all affected individuals take action to safeguard their credit and monitor Explanations of Benefit Statements and insurance claims. CTHP has advised all patients to exercise caution, check credit reports and place a fraud alert on credit. It also advised the victims to request additional security measures to be applied to confirm identity on credit or loan applications. A year of credit monitoring services is being offered to victims of the breach to protect against fraud and identity theft.

Employee PHI Theft and Inappropriate Access is a Major Problem in Hospitals

Insider theft is a major problem in the healthcare industry and it is one of the hardest data breach risks to eliminate. Individuals must be granted access to PHI in order to perform their jobs, but by doing so it is possible for them to access records that they have no legal right to view.

Access cannot be stopped but it can be controlled and any cases of inappropriate access must be rapidly identified. In many cases, it takes months if not years before inappropriate access of PHI is discovered. To mitigate risk, all covered entities must log access to PHI and should regularly review access logs to minimize the damage caused when employees decide to snoop on records or steal healthcare data.

Florida Hospital in Orland recently discovered 9,000 records had been accessed by employees, and in December last year, Early Learning Coalition of Palm Beach County uncovered unauthorized access had exposed 200,000 patient health records.

This year, legal action was taken against an employee of Promedica Bay Park Hospital in Ohio after 596 patient records were viewed without authorization and in February an east Texas hospital employee was jailed for 18 months for accessing records without authorization.

When employees are caught, criminal proceedings are likely and fines of up to $250,000 and up to 10 years in jail can be expected if PHI is stolen for personal gain.

Post Updated: 05/29/2015

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.