On September 21, 2017, Texas Children’s Health Plan discovered an incident of PHI theft via email involving the healthcare data of 932 members. Allegedly the PHI was emailed to a former employee’s personal email account almost a year ago – some time in November and December 2016. It was only discovered now because of a routine review.
Texas Children’s Health Plan took action immediately to alleviate the risk of the data breach. Employees got a refresher training course to emphasize HIPAA rules and hospital policies. There were safety precautions implemented as well to avoid the occurrence of similar incidents.
According to the breach report that Texas Children’s Health Plan uploaded to its website, there is no clear reason why the former employee emailed the PHI to his personal account. There is also no evidence that show any member’s information was used wrongly. The member’s protected data included in the emails differed from patient to patient. Most included the member’s names, addresses, telephone numbers, birth dates, waiver type, Medicaid numbers, STAR kids manager’s name and group, and other information listed in a budget worksheet. Member’s financial information and Social Security numbers were not included in the emails. But, the medical record numbers, clinical information and medical diagnoses of a few patients were included.
To adhere to the HIPAA Breach Notification Rule, the insurance health plan reported the breach incident to law enforcement and the Department of Health and Human Services’ Office for Civil Rights. The company also sent mail notifications to all patients impacted by the incident on October 27. This dispatch date is well inside the maximum deadline permitted by the HIPAA Breach Notification Rule.
PHI theft via email in several HIPAA-covered entities has become relatively common in recent months. Reasons for such incidents include: providing new employers with the information to recruit patients; providing friends with information for data processing tasks; and using the stolen data for identity theft and fraud. HIPAA-covered entities are advised to monitor PHI theft strictly. There should be a restriction set up to prevent emailing of information to entities outside the organization.