Dedicated to providing the latest
HIPAA compliance news

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

Share this article on:

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On