Who? Texas-based Premier Patient Healthcare.

What? Unauthorized access of 37,636 records containing protected information.

How? A former executive accessed the information after their employment was terminated.

HIPAA Policies Should Protect

Of all the ways protected information can be stolen, malicious insider is perhaps the most distressing. Patients trust their doctors with personal and private information, just as employers trust their workers to have discretion and follow protocols. When an employee is on their way out, either amicable or not, there are often policies in place to protect the interests of the former workplace. Non-compete and non-disclosure agreements are often used in the healthcare industry. The policy to protect patient information is, of course, HIPAA.

It is the duty of the covered entity to protect that information.

A retired doctor or fired executive shouldn’t access patient information - but more than that, they should not be ABLE to access it. Offboarding an employee should involve resetting or removing all access to their accounts and scrubbing any protected information off their devices.

Insider Exposed PHI

This can include deleting their accounts, changing passwords that they had access to (and may remember) and removing their authorization to access protected information on any internal or externally associated databases. In June of 2020 a terminated Premier Patient Healthcare executive accessed nearly 38,000 records. The investigation believes that they did so through a third-party technology vendor. It is likely that the executive’s accounts with this vendor were never updated or deleted, thus leaving the high-level access in place.

Breach Discovered 1 Year Later

The breach was not discovered until nearly a year later in April 2021. The investigation has not found any evidence of intended or actual misuse of the data. However, even if the breach was accidental or innocent, it is a stark reminder of how vulnerable patient data is when covered entities are not enacting and enforcing the policies that HIPAA requires them to have. Healthcare Technology Advisors believes in guiding our clients through policies, procedures, risk assessments, and audits to ensure that nothing falls through the cracks.

If you’re not 100% confident that your practice is protecting patient data correctly, schedule an appointment now with our HIPAA experts by calling (314)312-4701.