So it seems there was a reported insider breach affecting the Village of Oak Park, Illinois earlier this year. It was picked up by their local media at the time, but never reported to HHS. It’s now been reported to HHS, which is what sent me looking for coverage.
On February 25, the Cook County Chronicle reported that the village was investigating after an employee – subsequently identified as Jacquelyn Jamison – had emailed spreadsheet files to her personal computer. The files were connected to the village’s health plan.
That personal information, contained in electronic spreadsheets from Oak Park’s self-funded health insurance plan between 2011-2014, included names, Social Security numbers, dates of birth, and details regarding health-care benefits.
Of great importance, there was no indication that the files had been used in way to suggest malicious or illegal intent.
But the story didn’t end there. On March 29, the Cook County Chronicle reported that Jamison had “sued the village for retaliatory firing for whistleblowing after she said she and her lawyer told supervisors that money was missing from the village’s health insurance fund.”
Why the village delayed in notifying HHS as a health plan provider is unknown to DataBreaches.net at this time, but they notified employees in a timely fashion, even if they didn’t report it to HHS until August 18. HHS’s breach tool indicates that they reported the incident as affecting 688 employees.