Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI

Detroit Medical Center has discovered an employee has stolen the protected health information of as many as 1,529 patients and impermissibly disclosed that information to a third party.

Detroit Medical Center became aware of the security breach when the staffing agency that supplied the employee contacted DMC to report that it had discovered protected health information had been obtained and provided to an third party.

DMC is part of the Tenet Healthcare system and runs eight hospitals and institutions in Detroit and southeast Michigan. DMC has not released information on the specific medical center where the employee worked or that individual’s role.

The types of information that were stolen and disclosed were also not made public. However, DMC has issued a statement confirming the data theft and disclosure have been reported to law enforcement and that the hospital is cooperating fully with the police investigation.

Upon hearing of the unauthorized disclosure, Detroit Medical Center conducted a thorough internal investigation, which included a review of all medical records that could potentially have been accessed by the employee. The employee’s login to systems containing PHI has been blocked and the employee has been terminated.

Detroit Medical Center determined that patients impacted by the security breach had visited a DMC facility for treatment between March 2015 and May 2016. Those individuals have now been notified by mail that their PHI has been compromised and have been offered credit monitoring services for 12 months without charge through AllClear.

If employees are given access to PHI in order to complete work duties there is always a risk that data access rights will be abused. It is therefore important for healthcare organizations to monitor PHI access logs regularly to check for inappropriate access. Detroit Medical Center did have monitoring systems in place, although the security breach has prompted DMC to modify monitoring programs to ensure any future incidents are detected rapidly.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.