MedStar Health Cardiology Associates Terminates Employee for PHI Theft

An employee of Medstar Health’s Cardiology Associates has been terminated after emailing the protected health information of 907 patients to a personal email account.

The incident was discovered on July 5, 2016 prompting a full internal investigation. The email was sent from a company email account to the employee’s personal account on May 2, 2016. Cardiology Associates determined that there was no legitimate work reason for emailing the list of patients.

The list contained the names of patients, their dates of birth, and health insurance ID numbers. Some Social Security numbers were also detailed on the list.

The Cardiology Associates breach investigation did not uncover any evidence to suggest that any of the data were used inappropriately, although names, dates of birth, and Social Security numbers can be used to commit identity fraud, while insurance details could potentially be used to make fraudulent claims.

Patients were notified of the privacy breach by mail on August 5, 2016. All individuals whose data were emailed to the personal account have been provided with a year of credit monitoring and identity theft protection services without charge. A program of re-education on the confidentiality of patient information has also been started to reduce the risk of future branches of this nature.

The matter has been referred to law enforcement and the incident was of sufficient severity to warrant the termination of the employee’s contract.

Planned Parenthood of Greater Washington and North Idaho Informs Patients of Email Incident

An email incident has been reported to the Department of Health and Human Services’ Office for Civil Rights that has impacted 10,700 individuals. On June 28, 2016, Planned Parenthood of Greater Washington and North Idaho discovered that emails had been accidentally sent to incorrect recipients.

The emails were sent to notify patients of the organizations online portal. The error was discovered promptly and efforts were made to prevent the emails from being sent, although it was not possible to recall the messages that had already been delivered.

The incident involved a large number of individuals, but the accidental disclosure of patient information was extremely limited. The emails only contained the name of another patient. No further information was disclosed.

Planned Parenthood determined that this was an isolated incident, although privacy policies have been reinforced internally and with the organization’s partners. Additional safeguards are now being considered to prevent this type of incident from occurring in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.