A Nurse Terminated and 10,970 Patient PHI Exposed Due to Breaches at Takai, Hoover & Hsu and Navicent Health

A former staff at a healthcare provider located in Germantown, MD allegedly accessed the protected health information (PHI) of roughly 16,542 patients. The data was purportedly provided to a third party and utilized for bogus transactions.

On April 10, 2019, County and state law enforcement informed Takai, Hoover & Hsu, P.A., the owner of THH Paediatrics in Germantown, about the apprehension of a person on account of an investigation of a problem not related to THH.

The arrested individual was related to THH’s employee who is said to have accessed and impermissibly exposed information that include patient names, birth dates, addresses of the patients’ parents and Social Security numbers.

THH took action without delay and looked into the allegations. THH likewise limited the employees who access patient data and requested the employee to go on a leave starting April 16 while waiting for the internal and police investigations results.

The ex-employee did not face any charges this point becaause no proof was uncovered that he stole or misused any patient data; in spite of this, THH made a decision to let the employee go on May 3, 2019 after getting more information from law enforcement. THH additionally submitted the incident report to the Maryland Board of Nursing.

A computer forensics company hired by THH did a comprehensive investigation of its computer systems to figure out what PHI, if any, was viewed or duplicated.

Monroe County Hospital (MCH) based in Forsyth, GA, notified 10,970 patients regarding the likely exposure of some PHI due to a data security incident at Navicent Health, which is a vendor of MCH.

Navicent Health notified the hospital about the potential PHI breach in a recent cyberattack on March 26, 2019. An unauthorized person accessed several email accounts of Navicent Health personnel. The email accounts included MCH patient information, which the unauthorized individual possibly accessed. This occurrence was part of a larger breach affecting more than 278,000 patients.

The forensic investigators revealed that the following PHI may have been compromised: patient names, birth dates, addresses, health record numbers, several health information, and some people’s driver’s license numbers or Social Security numbers.

MCH mailed breach notification letters on May 24 to the people impacted by the incident.