The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Martin Army Community Hospital Notifies Patients of Historic Data Breach

Posted By on Oct 3, 2016

Further information has emerged on a data breach affecting patients who received medical services from the Martin Army Community Hospital healthcare system in Fort Benning.

A data breach notice was submitted to the Department of Health and Human Services’ Office for Civil Rights on September 9, 2016 indicating 1,000 patients had their PHI stolen; however, specific details of the breach were not released to the media at the time.

However, on Sunday October 2, the Ledger-Enquirer reported that a news release had been issued by the hospital on the incident. According to the news report, an individual formerly employed in the hospital’s laboratory shipping section was discovered to have stolen the protected health information of a number of patients. The theft of patient data was reported to the hospital by law enforcement in January 2014.

The employee was removed from work the same month and an extensive investigation into the alleged theft was conducted. While the hospital was informed that data were potentially stolen between January 2011 and December 2013, the investigation did not uncover any evidence to suggest that computer systems had been accessed. No patient data appeared to have been obtained from patients’ electronic medical records.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Instead, the employee “randomly took protected health information and protected identifiable information,” including names, birthdates and Social Security numbers from discarded lab specimen labels. The data were subsequently used to file fraudulent tax returns in the names of the victims.

Individuals whose data were used to file fraudulent tax returns have been notified by the IRS, although neither the IRS nor the Department of Justice are permitted to release details of the individuals affected by the breach to U.S. Army officials. Consequently, it has not been possible to individually notify affected patients.

The hospital has now taken the decision to send breach notification letters to all patients who were treated at the hospital between January and April 2013. It is unclear why the decision has only just been taken to notify certain patients of the incident, given the hospital was first made aware of the data theft in January 2014.

According to the news release, the former employee was arrested for his/her role in a large tax fraud scheme involving data stolen from the hospital and has been tried and is serving time in jail for the crime.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist