Former Hospital Employee Breaches HIPAA by Emailing PHI

Yolanda Farrar-former employee of the Arkansas Department of Human Services (DHS)-has been fired from her position at the state hospital for breaching HIPAA legislation in March 2017. She was discovered to have emailed spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS. According to a statement issued by DHS spokesperson, Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day before the announcement, Farrar had spoken with her supervisor about issues relating to her performance. At the meeting, she learned that her employment contract was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar sought legal counsel, and decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery. The company launched an internal investigation into the incident.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed. The DHS determined that the protected health information of 26,044 patients had been emailed to the personal account. In accordance with HIPAA’s Breach Notification Rule, these patients had to be notified of the breach of their PHI. DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.