An email to the personal email account of a former employee of the Texas Children’s Health Plan has been discovered to have exposed the protected health information (PHI) of 932 members.
The incident was identified on September 21, 2017, although the former member of staff sent the data via email late last year in November and December 2016. The emails were seen during a routine audit process.
Texas Children’s Health Plan reacted to the breach promptly and has taken a series of steps to mitigate risk. The health insurance plan has also established additional safeguards to prevent similar incidents from happening in the future and employees have been given more training on hospital policies and HIPAA Rules.
While the rationale for the PHI being emailed to the personal email account has not been released, the breach report uploaded to the insurance plan website states that no evidence has been found to suggest any plan member information has been used inappropriately. However, the incident has been made known to law enforcement agencies.
The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and all patients impacted by the incident have been notified by mail as is required by the HIPAA Breach Notification Rule.
Breach notification letters were sent out to affected patients on Friday, October 27, well inside the maximum deadline legally permitted by the HIPAA Breach Notification Rule.
The kinds of data included in the emails was different for each individual patient, but in most cases included: Names, telephone numbers, addresses, dates of birth, Medicaid numbers, waiver type, STAR kids manager’s name and group, and information detailed in a budget worksheet. No financial information nor Social Security numbers were stored in the emails, although for a few of the patients, the following data was also included: Medical record numbers, medical diagnoses, and clinical history.
This type of incident is seen quite often. Several HIPAA-covered entities have experienced similar incidents in recent times. Usually, PHI is taken to give to a new employer to target new patients for a new practice and some cases have seen PHI emailed to friends and relatives for assistance with data processing tasks. Some healthcare worker have take PHI with a view to committing identity theft and fraud for profit.
PHI theft via email is something that HIPAA-covered entities should be monitoring for. In a perfect world, restrictions should be put in place to stop PHI from being emailed externally.