HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

St. Francis Health Employee Fired for 20 Month Privacy Violation

An employee of the Bon Secours St. Francis Health System has had her employment contract terminated after the healthcare provider became aware of privacy violations and numerous cases of medical fraud. The employee in question is alleged to have accessed the private and confidential records of fellow employees, and potentially patients, over a period of 20 months. The data accessed appears to have been used to file claims against co-workers’ insurance policies for expensive prescription creams.

The privacy violations came to light in July, 2015, when employees of St. Francis Health started noticing their insurance company had billed them for “high dollar value” prescription creams, and the matter was brought to the attention of managers at St. Francis Health.

When fraudulent claims are made to insurance companies, it can be difficult to determine the person responsible. With the volume of data breaches now occurring, it is possible that insurance data and other information could have potentially be obtained from any number of sources. In this case, since a number of employees from the same hospital had been affected, the data breach appeared to come from within.

St. Francis Health responded to the complaints by initiating an internal investigation to determine whether the insurance claims were made by a malicious insider. The investigation revealed that an employee had inappropriately accessed the records of employees and patients. According to the Greenville News, the internal investigation revealed that the records of 30 employees had been accessed, and potentially as many as 1,997 patient records.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

They type of information accessed was consistent with the insurance claims made. St. Francis Health also determined that there was no valid reason for the data to have been accessed. This was sufficient evidence to suggest the employee in question had accessed the data with malicious intent, and also potentially used the information obtained to make fraudulent claims.

The accessing of data without authorization is, of course, in breach of the healthcare provider’s policies, and also a violation of the Health Insurance Portability and Accountability Act. The inappropriate access resulted in the termination of her employment contract. The discovery of insurance fraud also warranted the matter being reported to South Carolina law enforcement. While it is clear that the unnamed healthcare worker’s work colleagues have been affected, at this stage it is not clear whether patient data have been used to make fraudulent insurance claims, or have otherwise been used inappropriately. A police investigation into the alleged data theft and fraud is ongoing.

The data that were accessed included highly sensitive information that could potentially be used to steal identities and commit further fraud. These included names, dates of birth, insurance information, driver’s license numbers, clinical data (including diagnosis information) and potentially Social Security numbers.

In an effort to mitigate the risk of patients suffering losses as a result of the privacy violation, all concerned have been offered credit monitoring services and have been advised to keep a close check on their Explanation of Benefits statements and credit reports. St. Francis Health pointed out in its breach notice that the incident appears to concern only one rogue employee, but following a risk assessment it was deemed necessary to provide further training to staff members to ensure that employees are aware that “inappropriate use, access or disclosure of patients’ information will result in serious consequences up to and including termination and, where applicable, the involvement of law enforcement.” The employee in question had received training on hospital policies covering the accessing of confidential information, and appears to have abused her access rights.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.