HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.