So we’ve all read breach reports about employees or former employees stealing patient data to go start a new competitive practice or to help their new employer. And a blog post on Dental Practice Marketing and Management by Jim Du Molin about a dental hygienist stealing patient data for her new place of work read like just many other reports until I got to this detail about what happened when the victim dentist sued the former employee/hygienist after being tipped to what his former employee had been doing, which allegedly cost him about 150 patients and more than $1,000,000 in lost revenue over a five-year period:
You’d think it would be a slam-dunk. In court, Hygienist X point-blank admitted under oath that she had taken Dr. Michigan’s patient list.
Here’s the unbelievable part: the judge threw the case out, ruling that the patient list was not covered under the Michigan Uniform Trade Secrets Act. The judge was in effect saying that a doctor’s patient list is not protected information. (In a similar Pennsylvania case, the patient list was found to be a trade secret, but that’s of little help to Dr. Michigan.)
So Dr. Michigan now finds himself working two jobs just to pay his legal bills.
So in Michigan, it seems that even if you buy a practice and the purchase contract includes the patient list and a non-compete clause, you may have no redress if an employee then steals the patient data list.
Read more on Dental Practice Marketing and Management.
But what about under HIPAA? I would think the hygienist might be charged criminally under HIPAA for stealing PHI if the dental practice was covered by HIPAA. That might not help this dentist commercially, but maybe HHS prosecuting more cases criminally and issuing press releases about prosecutions might deter some others in the future?
At the very least, I would think that the victim dentist should file a complaint against the hygienist with the state licensing board and seek to have their license revoked or suspended for unethical conduct. Again, it would not necessarily help the victim dentist commercially, but insider-wrongdoing needs to be addressed. Did the hygienist’s new employer fire her after learning what she had done? If not, why not?