Brian Day reports on another insider breach involving a HIPAA-covered entity:
A Pasadena child welfare agency has warned of a computer security breach that may have exposed the personal information of nearly 1,000 clients and staff members.
Hillsides, 940 Avenue 64, announced the data breach Wednesday. It was first discovered Dec. 8, when Hillsides officials learned that an employee had sent unencrypted files to a personal, non-Hillsides affiliated email address on five occasions between Oct. 10, 2014, and Oct. 19, 2015, Hillsides representatives said in a written statement.
The information sent contained names, social security numbers, home addresses and phone numbers for 468 Hillsides staff members, as well as names, birthdates, genders, medical identification numbers, therapists’ names and rehabilitative therapists’ names of 502 Hillsides clients.
The employee has since been terminated for violation of company policy, officials said.
Read more on Pasadena Star News.
I’m somewhat surprised the agency didn’t offer credit monitoring services as they couldn’t recover the files, and they are a HIPAA-covered entity, so the 502 clients means that this will show up on HHS’s public breach tool. There is no notice on their web site as of the time of this posting.
More importantly, has the (now former) employee been arrested??
Fired from job? Big deal. Most likely (s)he expected that outcome, but likely expected to make some $$ selling the data.
Why do companies not take that extra step? Might actually cause others to think twice if the worst they face is losing their job, but not their freedom.
Sigh…
There have been appallingly few criminal prosecutions under HIPAA. States, of course, are free to pursue criminal charges under other statutes. Like you said , I wish they would.