Breaches at Takai, Hoover & Hsu and Navicent Health Ended Up With a Fired Nurse and 10,970 Patient PHI Exposed

An ex-employee of a healthcare provider based in Germantown, MD is alleged to have accessed the protected health information (PHI) of approximately 16,542 patients. The information was allegedly given to a third party to be used for fraudulent transactions.

County and state police notified Takai, Hoover & Hsu, P.A., the operator of THH Paediatrics in Germantown, on April 10, 2019 that someone was apprehended because of an investigation of an issue unrelated to THH.

The arrested person was connected with an employee of THH who is alleged to have accessed and impermissibly disclosed patient data which include names, birth dates, addresses of the parents of patients and Social Security numbers.

THH immediately took action and investigated the accusations. THH also restricted the employee’s access to patient information and asked the employee to take a leave on April 16 while awaiting the results of the internal and police investigations.

There was no charges filed against the ex-employee at this point. There was no proof found that suggest the theft or misuse of any patient information; even so, THH decided to terminate the employee on May 3, 2019 after law enforcement presented more information. THH also reported the incident to the Maryland Board of Nursing.

THH called in a computer forensics firm to comprehensively investigate its computer systems and determine what, if any, PHI was accessed or copied.

Another breach occurred involving Monroe County Hospital (MCH) located in Forsyth, GA. MCH is informing 10,970 patients about the potential compromised of some of their PHI as a result of a security breach at Navicent Health, MCH’s vendor.

Navicent Health informed the hospital on March 26, 2019 about the potential compromise of some patient PHI in a recent cyberattack. A number of email accounts of Navicent Health employees were accessed by an unauthorized person. The email accounts contained MCH patient data and may have been accessed by the unauthorized person. This incident was part of a much bigger breach impacting over 278,000 patients.

Based on the forensic investigation, the compromised PHI included the following: Names, addresses, birth dates, medical record numbers, some health data, and the driver’s license numbers or Social Security numbers of certain people.

MCH sent notification letters by mail to the affected individuals on May 24.

About Christine Garcia 1192 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA