Employee Data Theft Announced by Merit Health

With big money to be made from the sale of Protected Health Information, and even bigger gains to be made from using the data for identity theft, many employees are tempted to access and copy medical records.

In recent months numerous cases of data theft have reported by hospitals, and this week another has come to light, with the announcement by Merit Health Northwest Mississippi that one of its employees has stolen patient PHI.

The now former employee’s acts were uncovered by local law enforcement officers, who notified the hospital of the potential data theft. An investigation into the security breach was initiated immediately to determine the extent of the theft. According to a statement released by Merit Health, the data access is believed to have started in February 2013 with the last data believed to have been removed in June 2015. The healthcare provider was notified of the privacy breach on July 1.

The unnamed individual is understood to have accessed and removed the records of up to 810 patients over a period of more than two years without being discovered. The data potentially obtained includes patient names, addresses, dates of birth, Social Security numbers, health plan identification numbers and some clinical information. Information relating to individuals who were responsible for the payment of medical bills may also have been compromised.

Dianne Mitchell, the director of PR & Marketing for the hospital, said in an email about the incident, “Because the police investigation is ongoing, additional patients may be identified, and notification will be made to any individuals identified.”

Under HIPAA Rules, breach notices must be issued to the media, breach notices issued to patients, and the Office for Civil Rights informed of the breach all within 60 days of discovery. With the deadline fast approaching, the hospital was obliged to announce the breach, even though further breach victims may still be identified.

A breach notice has now been placed on the Merit Health website saying the employee was suspended while investigations were conducted, but that individual’s employment has now been terminated. Access to the healthcare provider’s facilities has similarly been terminated, as have access rights to hospital data.

However, data appears to have been stolen for financial gain, and since the theft of data started more than two years ago, it is highly likely that a number of the 810 victims will have already suffered losses. Due to the high risk of financial harm, Merit Health Northwest Mississippi will be offering all affected patients free credit monitoring and identity theft resolution services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.