Here is today’s reminder of the insider threat and why it may be challenging, but it’s still necessary, to monitor and audit employee access to patient records to spot any inappropriate access.
Harris Health is notifying more than 5,000 patients that an employee — who was fired and referred to law enforcement when their wrongdoing was discovered — was accessing patient records without legitimate purpose and sharing the information outside of the health system.
The wrongdoing went on from January 4, 2011 – March 8, 2021.
A media report on the case from CW39 notes that disclosure was delayed due to a law enforcement hold on disclosure so as not to interfere with the criminal investigation.
The Texas health system has posted a substitute notice on its website. The notice states that the breach was discovered on February 10, 2021, but it does not explain how they discovered it. Harris disclosed the incident and began notifying patients as soon as law enforcement cleared them to do so.
Harris Health was reportedly unable to determine exactly which patients had their protected health information exposed outside of the organization, but the types of information included:
demographic information (name, date of birth, address, email address, telephone number, medical record number); clinical information (diagnoses, medical history, medications, immunizations, provider name, dates of service); and insurance information, which for a limited number of patients may have contained their Social Security number.
The employee was not named in the notice, nor was there any indication as to what has happened with any criminal case against them.