Insider Breaches at American Indian Health & Services and Madison Parish Hospital

A former employee of American Indian Health & Services violated HIPAA rules by forwarding to a personal email account the email messages that contain the sensitive information of some employees, patients, and vendors. American Indian Health & Services operates a community health clinic in Santa Barbara, CA.

American Indian Health & Services discovered the incident on March 7, 2019. An analysis of the former employee’s email account showed she forwarded email messages to her personal email account from March 26 to February 6, 2019.

The emails contained the following information: names, billing data, names of provider and locations, amounts paid/owed for services provided, medical insurance and payor data, and Medicare/Medicaid and/or Medical numbers.

American Indian Health & Services reported the incident to law enforcement, federal and state regulators and notified the people by mail. There’s no report of patient information misuse received to date. However, affected people were provided free one year credit monitoring and identity theft restoration services.

The exact number of present and past patients that were impacted by the breach is presently uncertain.

Madison Parish Hospital Service District is informing 1,436 patients of Madison Parish Hospital and clinic in Tallulah, LA about the impermissible disclosure of some of their protected health information (PHI) to a third-party.

A breach notice posted on the hospital web page mentioned that a hospital employee was found to have accessed a listing of patients and disclosed it to a third-party.

There is very little detail about the breach that was publicized. There is no clear information about the third party, the types of data disclosed, or the motive for the data disclosure.

Madison Parish Hospital is convinced that there was no further exposures of data. The breach notice dated the discovery of the incident on February 20, 2018. It appears that the timing stated in the notification is a typo and most likely the incident was discovered on February 2019.