Jackson Health System Announces Another 5-Year Insider Data Breach
Jackson Health System has recently announced an insider data breach that involved the theft of the protected health information of 2,599 patients. According to its June 6, 2025, press release, “Jackson became a victim of an employee who took advantage of his trusted position to access patient information inappropriately.”
The data accessed and obtained by the employee included names, birth dates, addresses, medical record numbers, and clinical information, which Jackson Health System said was used by the employee to promote a personal healthcare business. Jackson Health System said the employee was immediately terminated when the HIPAA violation was confirmed, and that it is working with law enforcement to investigate any potential criminal HIPAA violations.
What the breach notice does not state is how the unauthorized access was detected, such as being flagged by an internal audit of access logs or following complaints from patients who had been contacted by the employee regarding their personal health business. Jackson Health said its internal investigation confirmed that the unauthorized access took place between July 2020 and May 2025, which means it went undetected for five years.
It may not be possible to prevent all insider data breaches, but it is important to implement policies and procedures to ensure they are rapidly identified when they do occur. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to regularly review records of activity in information systems containing electronic protected health information (ePHI), which includes reviewing access logs to identify insider breaches. HIPAA does not specify the frequency of those reviews, but it would be hard to argue that a review every five years satisfies that HIPAA requirement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Further, this is not the first time that there has been unauthorized access to patient records by a Jackson Health System employee. In 2016, Jackson Health System disclosed an incident involving unauthorized access to the ePHI of 24,188 patients. In that case, the unauthorized access also went undetected for five years. Announcing that breach, the health system said it was implementing a new data security system that will make it quicker and easier to identify insider data breaches.
Jackson Health System was investigated by the HHS’ Office for Civil Rights over the insider incident and was determined to have violated multiple provisions HIPAA Privacy, Security, and Breach Notification Rules. In 2019, OCR imposed a $2.15 million financial penalty to resolve the alleged violations. At the time, OCR Director Roger Severino said the OCR investigation revealed a HIPAA compliance program that had been in disarray for a number of years. Among the identified HIPAA violations was the failure to regularly review logs of activity in information systems containing ePHI.
