Further information has been released on the Children’s Medical Clinics of East Texas data breach reported to the Office for Civil Rights late last month.
The breach report, posted on the organization’s website today, states that the privacy breach was the result of an employee getting back at the healthcare provider.
The unnamed employee, who has since had her employment contract terminated, took business documents home and failed to return them, and also inappropriately accessed and copied the medical records of a number of minors.
Screenshots were taken of the medical records which were subsequently disclosed to another individual who had also been employed by Children’s Medical Clinics of East Texas.
The information copied included medical diagnosis and treatment information, along with patient names and dates of birth. It is not clear what motivated the former employee to take such actions, or why the grievance with her employer resulted in her actions. She had previously received training on HIPAA Rules and was presumably aware that her actions were against the law.
As a result of those actions all affected patients needed to be informed of the privacy breach, although it was impossible for the healthcare provider to determine which records had been accessed. Consequently, breach notification letters had to be sent to all patients who potentially had their records exposed in the breach. This meant approximately 16,000 notification letters had to be mailed.
The affected patients were minors, but it is not believed that they are at a high risk of coming to harm as a result of the privacy breach. The actions of the former employee were not believed to have been committed with identity theft or fraud in mind, and were deemed to be in retaliation for an unnamed grievance she had with her employer.
The healthcare provider has notified the police of the theft, and the OCR is within its rights to start criminal proceedings against the employee. The theft of PHI from a HIPAA-covered entity can result in a heavy fine being issued, and a prison term is also possible, even when records are not used to commit fraud.
The Children’s Medical Clinics of East Texas data breach may be one of the latest to be reported that has resulted from an employee obtaining and removing protected data, but this incident is just one of many that have occurred in the past few months.
Healthcare providers and other HIPAA covered entities are currently fighting a battle on a number of fronts, with cybercriminals intent on breaking through security defenses to obtain medical data and Social Security numbers to commit identity theft and fraud, and insiders abusing access rights to data.
Attention may be focused on preventing external attacks in light of the massive data breaches caused by hackers, but it is important that controls are implemented to ensure that employee access to records is also monitored.