Recent Healthcare Data Breaches Due to Stolen Laptops, Unauthorized Employee Access

There were a number of reported healthcare data breaches this week, including Miami-based Jackson Health System reporting that a “rogue” hospital employee may have stolen confidential patient information affecting more than 20,000 patients.

Also this week, the Washington State Health Care Authority (HCA) reported that an employee improperly handled the personal identification and private health information of 91,000 Medicaid patient files. And, auditing company Seim Johnson also reported a potential healthcare data breach that could affect more than 30,000 people.

Jackson Health System

In a press release posted to its website Tuesday, Jackson Health System that it has launched a full investigation and is cooperating with law enforcement agencies after it discovered a “rogue” hospital employee may have stolen confidential patient information, including names, birthdates, social security numbers and home addresses over the last five years.

The health system then posted an update Wednesday reporting that the employee in question, Evelina Reid, a hospital unit secretary, had her employment terminated. The health system said it is continuing to cooperate with law enforcement agencies on this investigation.

According to a Miami Herald article, hospital officials told the newspaper that the employee may have inappropriately accessed around 24,000 patient records.

Washington State HCA

The Washington State HCA reported that an employee error resulted in a healthcare data breach compromising 91,000 Medicaid patient files. The agency said in a statement posted to its website Tuesday that it had sent notification letters to 91,000 Apple Health clients of the data breach and the information affected includes clients’ social security numbers, dates of birth, Apple Health client ID numbers and private health information.

According to the statement, two state employees in two state agencies exchanged Apple Health client files in violation of requirements under the federal Health Insurance Portability and Accountability Act (HIPAA). Both employees assert that the exchange of information occurred because the HCA employee needed technical assistance with spreadsheets that contained the data and that the information was not used for any additional unauthorized purposes or forwarded to any other unauthorized recipients. The breach was discovered in the course of a whistleblower investigation into misuse of state resources.

Both individuals’ employment has been terminated, and the Washington State HCA said it is notifying the appropriate federal officials for further investigation and potential criminal review.

“While we have no indication that the client files went beyond the two individuals involved, important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” HCA Risk Manager Steve Dotson said in a statement.

Seim Johnson

Omaha, Neb.-based Seim Johnson, an accounting and consulting services company, reported to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a data breach affecting 30,972 individuals due to a stolen laptop. Information about the breach was posted on the OCR online data breach reporting tool.

According to a HealthITSecurity.com article, Community Hospital in Nebraska may have bee one of the affected facilities as it had received a notification letter from Seim Johnson regarding a stolen laptop that may have contained patient's personal information. The article states that the hospital was notified that an employee laptop was stolen in Nashville in December 2015 and potentially exposed information likely includes patient names, a personal identifier such as a patient account number and medical record number.