HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Georgia Eye Center Discovers Insider Breach: 10,891 Patients Impacted

A former employee of the Thomasville Eye Center in Thomasville, GA has been discovered to have accessed the protected health information of patients without authorization. PHI was stolen from the eye center and used to open credit accounts in the names of the patients.

The eye center was alerted to the identity theft on August 8, 2016 and immediately launched an investigation to determine whether this was an isolated incident or if other patients had potentially been affected. The eye center discovered that the records of 10,891 patients had been accessed by the employee. The information contained in those records included names, addresses, birthdates, medical billing information, and Social Security numbers.

After confirming that PHI had been improperly accessed, the employee was terminated and law enforcement was notified. The eye center is continuing to work with law enforcement and is assisting in the criminal investigation of the employee’s activities. All affected patients have now been notified of the breach by mail and credit monitoring and identity theft protection services have been provided for a period of 12 months without charge.

If employees are provided with access to the protected health information of patients, there is a risk of PHI access rights being abused. While it is not possible to eradicate the risk of data theft by empoloyees, healthcare organizations can take a number of steps to reduce risk. These include:

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Conducting background checks prior to employment being offered
  • Ensuring training is provided on privacy and the penalties for improper PHI access are explained to staff
  • Restricting access to PHI to the minimum necessary information for work duties to be performed
  • Restricting access to PHI to an individual worker’s patient case load
  • Blocking the use of portable storage devices (USB ports)
  • Ensuring PHI access logs are recorded and are frequently reviewed to ensure improper PHI access is identified promptly if and when it does occur

Thomasville Eye Center has now implemented a number of changes to policies and procedures to reduce the risk of employee data theft. The number of employees permitted to process credit applications and access patients’ financial information has now been reduced and Care Credit Card applications can no longer be taken over the telephone. Credit applications are now being monitored and audited and the eye center’s computer system now masks Social Security numbers. All staff members have also been retrained on privacy and security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.