Kentucky Counseling Center (KCC) has uncovered a list of 16,440 clients has been illegally taken and shared with another person. A current member of staff is thought to have accessed and copied patient information without authorization, uploading the data to an anonymous file sharing service, and then sending a hyperlink to the list to a former staff member of KCC.
The former staff member was sent the link to the patient list on January 6, 2019 and reported the privacy breach to KCC.
KCC initiated an investigation into the insider breach to deduce when the list was downloaded and who was to blame. KCC believes the list was taken on December 6, 2018 by a then current staff member of KCC. That individual is no longer employed at the Counseling Center.
The reasons for the HIPAA violations are still not known – both the unauthorized access/theft and the subsequent impermissible disclosure to a former staff member. KCC outlined in its breach notification letter that there is no reason to think that the list was taken with the intent of causing harm to patients.
However, due to the nature of the data included in the list the decision was taken to offer free credit monitoring services to affected patients for one year.
The range of information in the list was different from patient to patient and may have included the following data elements: name, residence details, date of birth, phone numbers, gender, marital status, employment status, insurance payor, insurance details, Social Security number, last and next appointment dates, and KCC clinician identity.
The steps taken to stop additional incidents such as this from occurring in the future include strengthening passwords and enabling multi-factor authentication on its computer system.
The KCC breach notice does not refer to whether the person responsible was fired or left KCC of his/her own accord nor it the breach was made known to law enforcement agencies.