Employee of Arkansas Children’s Hospital Involved in PHI Theft Fired


Law enforcement investigated the involvement of an employee at Arkansas Children’s Hospital in the theft and improper use of patients’ protected health information (PHI). According to the breach report, the PHI of about 4,521 patients was potentially accessed and copied by the employee. The employee worked at Arkansas Children’s Hospital for 15 months from November 7, 2016 to February 6, 2018. During his employment, he was given access to PHI so as to carry out his assigned duties.

Arkansas Children’s Hospital was notified by law enforcement on May 9, 2018 about its investigation on the employee’s possible involvement in stealing Social Security numbers and other personal information of patients and the misuse of the same information.

As soon as Arkansas Children’s Hospital learned about the case, they conducted an internal investigation to find out which types of patient data were most likely viewed by the employee with no legitimate work reason. The hospital found out the types of information accessed by the employee. However, they could not determine which data was viewed in relation to work and which information was not.

As a result of investigation, the hospital reported the incident as a data breach. All affected patients received notification letters about the possible theft and misuse of their data. The following patient information were potentially stolen: names, addresses, birth dates, phone numbers, selected clinical data, medical insurance details, charge amounts, details of services received and Social Security numbers.

Arkansas Children’s Hospital gave all patients impacted by the data breach 12 months of free credit monitoring and identity theft protection services. As a security measure, patients were informed that they ought to keep track of their bank statements, Explanation of Benefits statements and credit reports to check for signs of fraudulent transactions.

The employee who violated hospital policies and HIPAA rules was dismissed from employment. Arkansas Children’s Hospital is now applying stricter hiring procedures. Existing hospital employees went through additional training to ensure they knew the internal policies and procedures of the hospital along with the HIPAA Rules on patient privacy.