Memorial Hermann Health System Announces 10K-Record HIPAA Breach

The Memorial Hermann Health System (MHHS) has discovered that a worker accessed the Protected Health Information of over 10,000 patients while employed at the hospital, with the HIPAA violations dating back some six and a half years.

The offenses took place between December 2007 and July 2014, and during that time 10,604 patient records are understood to have been accessed. The information viewed by the unnamed employee included medical records and insurance details, medical record numbers, personally identifiable information including, dates of birth, names and addresses as well as some Social Security numbers. It is not clear why the employee accessed the information, but a spokesperson from the health system said there was “no indication it involved fraudulent purposes.”

MHHS discovered the unauthorized access on July 7, 2014 and immediately blocked the employee’s access to patient records while an investigation was conducted. Outside experts in computer forensics were employed to determine which records had been accessed and the extent of the HIPAA violation.

Breach notification letters were sent to all affected individuals on August 29 in which patients were informed of the security breach and were advised to check their Explanation of Benefits (EoB) statements since insurance details were compromised in the incident. It is particularly important to check EoB statements for children, as they are more likely to suffer from fraud.

No financial information or credit cards were exposed in the incident, but patients have still been advised to check their credit history and obtain annual credit reports from the three main credit bureaus – TransUnion, Equifax and Experian – and to query any irregularities immediately.

Inappropriate PHI Access is a HIPAA Violation

Healthcare providers – and other covered entities – must ensure that Protected Health Information (PHI) is safeguarded, and access to it is restricted. Employees provided with access should only use that privilege to view records that they are required to see as part of their work duties. Accessing records without authorization, or when not required to do so for work purposes, is a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The Department of Health and Human Services’ Office for Civil Rights investigates HIPAA violations and can fine covered entities if too little has been done to control access to PHI. In this case, it would appear that the healthcare provider had not been monitoring access to PHI regularly, since the offenses span some 6.5 years.

The OCR is permitted to fine covered entities up to $1.5 million for willful neglect of HIPAA regulations. That figure is then multiplied by the number of years that the violation has been allowed to persist. HHS could potentially face an extremely high fine for the violation, and the – now former – employee could be prosecuted for inappropriate accessing of medical records by the Texas attorney general.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.