The PHI (Protected health information) of members (932) of Children Health Plan has been emailed to the personal account of prior employee. This instance happened on 21, Sep 2017, although, the employee sent the data in November or December 2016. These emails were found during a daily review analysis.
The Texas Children’s Health Plan immediately took action to the attack and responded to minimize the risk too. In order to prevent such problems in future, the Health Plan also implemented the Insurance plan. Additionally, all the workers have been retrained for the HIPAA rules and the hospital policies. Although, the purpose of PHI leakage to the private count has not revealed yet. The incident report was uploaded to website. It explained that there is any such evidence showing that the information has been utilized in wrong way. Though, the instance was also stated to the Law enforcement.
According to the HIPAA Breach Notification Rule, the instance has also been stated for civil rights to the Department of Health and Human Services’ Office and all the affected patients have been informed with the help of mails. The notification letters for the incident were sent to the patients on Friday, 27 Oct within the time limit specified in the HIPAA Breach Notification Rule.
The information included in the emails were specified for each patient, but mainly it contained the names, addresses, phone numbers, the date of birth, waiver type, Medicaid numbers and much more. There was neither any Social Security number nor the financial information included in emails. Even for the some patients the information included, the medical diagnosis, the record numbers and the clinical information.
Such problems are very common. In some recent years, the HIPAA covered entities found many such incidents. Sometimes, the PHI is required to provide the new worker to hire new patients to practice. In some cases, the information is sent to the family members or the friends to complete the data processing activities. While some of the employees have also stolen the information to commit the frauds.
It is recommended that HIPAA covered units must have a check on the PHI theft using emails. Preferably, there should be some restrictions to be placed to check the emails containing PHI outside the company.