There have been a number of cases of employee healthcare data theft reported so far this year, and now two more incidents have emerged. When employees leave a healthcare provider and seek employment elsewhere, some are tempted to take patient information with them.
HIPAA Covered Entities Should Take Steps to Prevent Healthcare Data Theft by Employees
HIPAA Rules prohibit the sharing of patient health information for financial gain, and taking data from one employer to another without the consent of patients violates the HIPAA Privacy Rule. In both the new cases, the privacy breaches appear to have been financially motivated, rather than to ensure the continuity of care of patients. Employee healthcare data theft can have a major financial impact on healthcare providers, and cause cause considerable distress to patients.
Baptist Health Discovers Ex-Provider Exported Data and Marketed Patients
Patients of Baptist Health started receiving phone calls from a new healthcare provider, Bray Family Medicine, in Early August. Baptist Health started receiving phone calls from its patients on August 6 after they had been contacted by Bray Family Medicine. The patients questioned whether Baptist Health had provided their medical details to Bray. A number of calls from patients were received, which triggered an internal investigation.
That investigation revealed that a former provider at Baptist Health had exported patient lists prior to changing employer, and the information exported was deemed to be consistent with the marketing contact patients had received. Some patients were contacted by mail, others by telephone.
Baptist Health’s investigation revealed that patient names, addresses, telephone numbers, gender, ethnicity, rendering provider and referring provider were exported, as were the dates the patients had last visited Baptist Health for medical services.
While one former provider had downloaded the lists, other providers have also left Baptist Health clinics to Join Bray Family Services, and a number of patients have since requested Baptist Health provide their medical records to the new healthcare provider.
In response to the unauthorized accessing and disclosure of patient PHI, affected patients were notified by mail of the HIPAA breach and received an apology for the privacy violation. It is not clear at this stage whether legal action will be taken against the individual concerned, but the HHS’ Office for Civil Rights has now been informed of the breach and may choose to investigate and take action.
Former CEO of Angels in Your Home Allegedly Took Patient Files to New Provider
Another case of employee healthcare data theft came to light on the same day, this time concerning the home health agency, Angels in Your Home. Angels provides healthcare services to disabled patients in Arkansas, some of whom had been contacted by All-American Home Care, a rival healthcare provider regarding changing service provider.
According to a statement issued by Bruce Darling, CEO of the Center for Disability Rights (CDR), an advocacy group for the disabled, the former CEO of Angels in Your Home, Marco Altieri, allegedly took confidential files to the new healthcare provider and arranged for that information to be used to contact some of his former company’s patients.
Patients were allegedly informed that Angels in Your Home was being taken over, and they were offered the same healthcare services with the new provider. As a result, at this point in time, nine individuals have requested to switch care services to All American Home Care.
The matter came to light when a patient contacted CDR regarding the non-payment of her attendants, which would potentially see them stop providing the care she needed, and her be taken to a home. CDR subsequently contacted Angels in Your Home to find out why the patients attendants had not been paid, and was told that the individual’s files had been removed, which is why payment had not been made. Other files had allegedly been taken as well.
According to an article in the Democrat and Chronicle, Altieri’s lawyer has denied the claims of PHI theft. Darling has not been convinced, and neither has Angels in Your Home. The provider of home care services filed a lawsuit against Bray Family Medicine and Altieri (and other defendants) for the alleged HIPAA breach and theft of company data.
Darling released a statement condemning the actions of the former CEO, and said “When a trusted individual steals from, lies to, or manipulates the disabled people that they serve in order to make a profit, that trust is not just broken, it is ripped away.” This incident has not only financially affected Angels; it has also had a major impact on some of its disabled patients.
Darling has been encouraging affected individuals to seek advice from CDR about taking legal action for the privacy invasion. CDR will ensure that affected patients can find legal representation in this regard.