Share this article on:
The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization.
In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home.
The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted.
That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives.
The information copied to the external storage device included patients’ names, addresses, phone numbers, dates of birth, email addresses, health insurance policy numbers, medical record numbers, bank account numbers, medical diagnoses, Social Security numbers, details of treatments and medications, and patients’ race and sex.
While the data could potentially have been misused, the Neurology Foundation has uncovered no evidence to suggest that was the case. The portable hard drive has now been recovered and the data have been secured.
The unauthorized credit card purchases were discovered in April and the HIPAA breach discovered in May; however, patients have only just been informed that their protected health information was compromised.
The delaying of breach notifications is a breach of HIPAA Rules; however, in certain cases, law enforcement may request that the disclosure of the breach to patients, state and federal authorities, and the media be delayed so as not to interfere with a criminal investigation. That was the case with this breach. Law enforcement requested a delay while the investigation was conducted. The investigation is ongoing, but the law enforcement request to delay notification has now elapsed and notifications are being sent.
All patients impacted by the breach are being offered 12 months of credit monitoring services without charge and have been told to be vigilant to the possibility of identity theft and fraud.
The incident has been reported to the appropriate authorities, although it is currently unclear exactly how many patients have been impacted by the incident.