HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data

The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization.

In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home.

The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted.

That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The information copied to the external storage device included patients’ names, addresses, phone numbers, dates of birth, email addresses, health insurance policy numbers, medical record numbers, bank account numbers, medical diagnoses, Social Security numbers, details of treatments and medications, and patients’ race and sex.

While the data could potentially have been misused, the Neurology Foundation has uncovered no evidence to suggest that was the case. The portable hard drive has now been recovered and the data have been secured.

The unauthorized credit card purchases were discovered in April and the HIPAA breach discovered in May; however, patients have only just been informed that their protected health information was compromised.

The delaying of breach notifications is a breach of HIPAA Rules; however, in certain cases, law enforcement may request that the disclosure of the breach to patients, state and federal authorities, and the media be delayed so as not to interfere with a criminal investigation.  That was the case with this breach. Law enforcement requested a delay while the investigation was conducted. The investigation is ongoing, but the law enforcement request to delay notification has now elapsed and notifications are being sent.

All patients impacted by the breach are being offered 12 months of credit monitoring services without charge and have been told to be vigilant to the possibility of identity theft and fraud.

The incident has been reported to the appropriate authorities, although it is currently unclear exactly how many patients have been impacted by the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.