Michelle Marchante provides today’s reminder of the insider threat:
More than 2,000 patients at Jackson Health System had their personal data, including names, address and medical information, accessed in a lengthy breach that spanned nearly five years.
The data breach was conducted by a Jackson employee who accessed the information to promote a personal healthcare business, according to Jackson Health. Miami-Dade’s public hospital system announced the patient data breach Friday afternoon.
Jackson Health says its internal investigation found that the “unauthorized access” to patient records occurred between July 2020 and May 2025. The data breach included “patient names, birth dates, addresses, medical record numbers and clinical details,” but Social Security numbers weren’t compromised, according to the hospital.
Read more at The Miami Herald.
Jackson Health System (“JHS”) l did not disclose which hospital in their system this happened at, but tried to paint themselves as the victim of an employee they terminated immediately.
JHS offered no explanation as to why it took them five years to discover any inappropriate access. Did they have software in place? How often did they audit? This is not the first time JHS had an employee inappropriately accessing patient data for a five-year period. In 2016, they made a similar disclosure. And in 2019, HHC OCR settled charges against JHS stemming from their investigation subsequent to three breach reports, including the 2016 report. HHS’s press release at the time summed up their findings:
OCR’s investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.
At the time, HHS OCR settled the charges for a civil monetary penalty of $2.15 million. There was no corrective action plan or monitoring required as part of the settlement.
What will HHS find now if it investigates fully?