Douglas County Health & Human Services notifies patients that former employee accessed their records inappropriately

Posted on by Dissent

Alex Evans reports:

Unauthorized access of HIPAA-protected information by county employee, largely flies under the radar.

Six-months after the Douglas County Department of Health and Human Services determined an employee had accessed protected personal and health information without authorization, a notice appeared on the county’s website.

That notice can be found here. Fox21 reports some additional details that they were able to obtain from the department spokesperson, but

Our questions regarding any criminal investigation into the employee’s actions were directed to the Superior Police Department.

Chief of Police, Paul Winterscheidt, confirmed an investigation into unauthorized access of HIPAA information, began June 13, 2024. The investigation found that while HIPAA-protected information was access, it was likely not disseminated beyond the employee. The county prosecutor did not peruse charges following the investigation.

Read more at Fox21. The department spokesperson informed them that notification letters had been sent to 316 people, but didn’t reveal how many people were affected for whom they do not have current addresses. Nor did the department’s notice explain why it took so long for them to discover the improper access by the employee and what role the employee was in.

DataBreaches submitted an email inquiry to the county this morning that asked some specific questions about the incident and the county’s response, but no reply has been received.  The questions asked the county:

  • how many patients, total, had their PHI accessed without authorization or legitimate purpose by the now-former employee;
  • whether the county knows what the employee’s motivation was in accessing these patients’ records;
  • why it took from August 11, 2022 to May 13, 2024 to detect or confirm the improper access;
  • whether the county had any software deployed to detect improper employee access; and
  • what the county has done in response in the way of additional security controls to prevent employee wrongdoing of this kind.

This post will be updated if a response is received. In the interim, here is the county’s website notice:

Website Notification 12.10.24 final
Category: Health DataInsider