Martin Army Community Hospital Notifies Patients of Historic Data Breach

Further information has emerged on a data breach affecting patients who received medical services from the Martin Army Community Hospital healthcare system in Fort Benning.

A data breach notice was submitted to the Department of Health and Human Services’ Office for Civil Rights on September 9, 2016 indicating 1,000 patients had their PHI stolen; however, specific details of the breach were not released to the media at the time.

However, on Sunday October 2, the Ledger-Enquirer reported that a news release had been issued by the hospital on the incident. According to the news report, an individual formerly employed in the hospital’s laboratory shipping section was discovered to have stolen the protected health information of a number of patients. The theft of patient data was reported to the hospital by law enforcement in January 2014.

The employee was removed from work the same month and an extensive investigation into the alleged theft was conducted. While the hospital was informed that data were potentially stolen between January 2011 and December 2013, the investigation did not uncover any evidence to suggest that computer systems had been accessed. No patient data appeared to have been obtained from patients’ electronic medical records.

Instead, the employee “randomly took protected health information and protected identifiable information,” including names, birthdates and Social Security numbers from discarded lab specimen labels. The data were subsequently used to file fraudulent tax returns in the names of the victims.

Individuals whose data were used to file fraudulent tax returns have been notified by the IRS, although neither the IRS nor the Department of Justice are permitted to release details of the individuals affected by the breach to U.S. Army officials. Consequently, it has not been possible to individually notify affected patients.

The hospital has now taken the decision to send breach notification letters to all patients who were treated at the hospital between January and April 2013. It is unclear why the decision has only just been taken to notify certain patients of the incident, given the hospital was first made aware of the data theft in January 2014.

According to the news release, the former employee was arrested for his/her role in a large tax fraud scheme involving data stolen from the hospital and has been tried and is serving time in jail for the crime.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.