Share this article on:
A former employee of Portland-based Northwest Primary Care (NWPC) stole the Protected Health Information (PHI) of 5,372 patients of the Oregon medical clinic, according to a NWPC breach notice issued yesterday.
The healthcare provider was alerted to the data theft by law enforcement. An investigation into the alleged data theft revealed the individual had accessed the medical records of patients during the time that he/she was employed at NWPC and had viewed and stolen highly sensitive patient data including patient names, dates of birth, credit card numbers, and Social Security numbers.
The data theft occurred over two years ago between April and December 2013, although NWPC was only made aware of the theft on October 13, 2015. According to the NWPC press release there is no indication that any of the data were actually used for fraudulent purposes. However, the theft of data such as credit card and Social Security numbers indicates the information was taken with criminal intent, and patients are consequently at risk of suffering identity theft and fraud. In order to mitigate risk, NWPC is notifying patients and offering them credit monitoring, identity theft protection, and identity recovery services for a period of 12 months without charge through ID Experts. Patients will also be covered by a $1,000,000 identity theft insurance policy.
The former employee had been subjected to a background check prior to being employed and references had been obtained from past employers. The former member of staff had also been trained on internal policies covering data privacy, which had been developed in accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules.
After learning of the breach, NWPC decided to implement a number of additional technical controls to ensure that patient privacy is better protected in the future. Those measures include the implementation of advanced monitoring systems to identify cases of inappropriate accessing of medical records and the provision of further training to staff members to re-educate them on the importance of protecting patient data.
The incident highlights the need for healthcare organizations to conduct regular audits of PHI access logs to identify inappropriate accessing of patient medical files and possible data theft by staff members.
A HIPAA-covered entity must ensure that records are maintained of all attempts by employees to access medical records. Logs should record the individual accessing the records, the date and time of access, the information viewed, what PHI was accessed, and any PHI that was altered or deleted. Failed access attempts must also be recorded – CFR 45 §164.308(a)(1)(ii)(d), §164.308(a)(5)(ii)(c) and §164.312(b). Under HIPAA Rules, access logs must be kept for a period of 6 years.
Covered entities must have the technology in place to record data and keep logs for auditing purposes; however, access logs are only useful if they are regularly checked. Covered entities must not rely on law enforcement to alert them to cases of data theft, and must take a proactive approach to ensure patient privacy is not violated by staff members. The number of cases of employee theft of PHI reported to the HHS’ Office for Civil Rights this year show that employee data theft is a very real risk. Action must therefore be taken to reduce that risk to a minimal level.