HIPAA-Covered Data Stolen From Las Vegas Brain and Spine Surgery Center

On July 9, the Las Vegas Western Regional Center for Brain & Spine Surgery (WRCBSS) reported that a former employee had accessed and copied the records of up to 12,000 of the healthcare provider’s patients over a period of seven months.

The data potentially copied includes Social Security numbers along with Personally Identifiable Information (PII) which includes patient names, addresses, dates of birth as well as billing account numbers. The matter was brought to the attention of WRCBSS by law enforcement officers after they suspected the employee of stealing the information and using it to commit fraud.

The employee in question, who has not been named, is alleged to have started accessing the information on November 28, 2011 and he continued to do so until June 29, 2012.

The breach may seem large – involving some 12,000 patients – but it is not possible to ascertain exactly which records were used and copied. It could be a handful or it could be thousands; at this stage WRCBSS simply does not know.

Robin Hasty, an Administrator at WRCBSS, said “Presently, we are unable to identify the specific patients whose personal health information was actually stolen nor do we know which of those patients whose information was stolen was also used for fraudulent activities.”

Rather than delay breach notifications unnecessarily, the decision was taken to send a notification letter to all patients who were listed in the company database at the time the data breach occurred, resulting in some 12,000 breach notice letters being sent.

At this stage it is not clear whether the individuals affected are being offered credit monitoring and repair services without charge. Since some data appears to have been used for fraudulent purposes, all affected individuals should certainly obtain a free credit bureau reports and check Explanation of Benefits statements for signs of fraudulent activity. If instances of fraud are discovered, patients should notify WRCSS and law enforcement.

It can be difficult to remove the risk of employee theft of PHI entirely, but it is essential that the opportunity for theft is limited. The staff must be made aware of the repercussions for accessing records without authorization and routine monitoring of record access must take place. It may not be possible to stop records from being viewed, but regular monitoring of access logs can reduce the severity of a breach if it does occur.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.