Share this article on:
The protected health information (PHI) of 932 members of the Texas Children’s Health Plan has been discovered to have been emailed to the personal email account of a former employee.
The incident was discovered on September 21, 2017, although the former employee emailed the data late last year in November and December 2016. The emails were discovered during a routine review.
Texas Children’s Health Plan responded to the breach promptly and has taken action to mitigate risk. The health insurance plan has also implemented additional safeguards to prevent similar incidents from occurring in the future and employees have been re-trained on hospital policies and HIPAA Rules.
While the reason for the PHI being emailed to the personal email account has not been disclosed, the breach report uploaded to the insurance plan website explains no evidence has been uncovered to suggest any plan member information has been used inappropriately. However, the incident has been reported to law enforcement.
As is required by the HIPAA Breach Notification Rule, the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and all patients impacted by the incident have been notified by mail. Breach notification letters were dispatched to patients on Friday, October 27, well inside the maximum deadline allowed by the HIPAA Breach Notification Rule.
The types of data included in the emails varied for each patient, but typically included: Names, telephone numbers, addresses, dates of birth, Medicaid numbers, waiver type, STAR kids manager’s name and group, and information detailed in a budget worksheet. No financial information nor Social Security numbers were included in the emails, although for a small number of patients, the following information was also included: Medical record numbers, medical diagnoses, and clinical information.
This type of incident is relatively common. Several HIPAA-covered entities have discovered similar incidents in recent months. Oftentimes, PHI is taken to provide to a new employer to recruit patients to a new practice and some cases have seen PHI emailed to friends and relatives for assistance with data processing tasks. Some healthcare employees have stolen data with a view to committing identity theft and fraud.
HIPAA-covered entities should be monitoring for PHI theft via email. Ideally, restrictions should be put in place to prevent PHI from being emailed outside the organization.