Healthcare Employees Accused of Taking PHI to New Employers

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers.

Former Hair Free Forever Employee Contacts Patients to Solicit Customers

Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers.

The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules.

In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice.

An investigation into the security breach revealed the former employee took information such as names and contact information, dates of birth, medical histories, details of mental and physical condition, diagnoses and treatment information, physicians’ names, details of medications taken, and intimate personal photographs. Hair Free Forever reports that attempts have been made to secure patients’ PHI.

It is currently unclear exactly how many patients have been affected as the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, although a breach report has been submitted.

Cheryl Conway wrote “Aside from the moral and ethical disregard of privacy issues… this criminal behavior carries significant fines, penalties and legal ramifications.” A compliant has been filed with OCR over the HIPAA violation.

Former Muir Medical Group Employee Takes PHI to New Employer

A similar incident occurred at the Walnut Creek, CA-based independent physicians’ association Muir Medical Group IPA. Information on the breach was released in late May, although at the time it was unclear how many patients were affected. The incident has now appeared on the OCR breach portal, which reveals the information of 5,485 patients was taken by a former employee and was provided to her new employer.

The data leak was detected by Muir Medical Group on March 7. A third-party computer forensics firm was hired to investigate the breach, which revealed the following information had been taken by the former employee: Names, addresses, phone numbers, diagnoses, test results, treatment information, medications, and Social Security numbers. Affected patients had received treatment between November 2013 and February 2017.

All patients whose PHI was taken by the former employee have been offered complimentary credit monitoring services for 12 months.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.