Texas Children’s Health Plan has announced a breach of nearly 1,000 patient’s protected health information (PHI). The organisation said that the breach was discover when they identified the information as having been emailed to the personal email account of a former employee.
The incident was discovered on September 21, 2017, although the former employee emailed the data late last year in November and December 2016. The emails were discovered during a routine review of data security.
Texas Children’s Health Plan responded to the breach promptly and has implemented measures to mitigate risk of identity theft and other malicious use of the information. The health insurance plan has also implemented additional safeguards to prevent similar incidents from occurring in the future. They have taken steps to ensure that employees will be re-trained on hospital policies and HIPAA Rules to prevent such an incident from occurring in future.
While the reason for the PHI being emailed to the personal email account has not been disclosed, the breach report uploaded to the insurance plan website explains no evidence has been uncovered to suggest any plan member information has been used inappropriately. However, they state the incident has been reported to law enforcement, who may launch their own investigation into the event.
The incident has also been reported to the Department of Health and Human Services’ Office for Civil Rights. All patients impacted by the incident have been notified by mail, in accordance with HIPAA’s Breach Notification Rule. Breach notification letters were dispatched to patients on Friday, October 27, well inside the 60-day deadline allowed by the Breach Notification Rule.
Texas Children’s Health Plan identified the types of data which were included in the emails were names, telephone numbers, addresses, dates of birth, Medicaid numbers, waiver type, STAR kids manager’s name and group, and information detailed in a budget worksheet. They further stated that the type and quantity of information varied for each patient. No financial information nor Social Security numbers were included in the emails, although for a small number of patients, the following information was also included: Medical record numbers, medical diagnoses, and clinical information.
This type of incident is one of the more common ways in which HIPAA legislation is violated. Several HIPAA-covered entities have discovered similar incidents in recent months. Oftentimes, PHI is taken to provide to a new employer to recruit patients to a new practice. In some cases, PHI is emailed to friends and relatives for assistance with data processing tasks. Some healthcare employees have stolen data with a view to committing identity theft and fraud.
HIPAA-covered entities should be monitoring for PHI theft via email. Ideally, restrictions should be put in place to prevent PHI from being emailed outside the organization.