Healthcare Information Security

S.C. Hospital Employee Violates Patient Privacy, Steals PHI

Although implementing adequate technical and physical safeguards to keep potential hackers from accessing patient health information is vitally important, those measures are sometimes not enough to prevent patient privacy violations and health data breaches. In some cases, the breach of information comes from an internal thief.

health data breach at St. Francis Health System caused by employee fraud and theft

Such was the case at Bon Secours St. Francis Health System in Greenville, South Carolina. According to a hospital statement, the health system was notified this past August that several employees were receiving unpaid balances for an antibiotic cream, and others were reporting their health insurance companies being charged for the antibiotic creams. Upon closer investigation, St. Francis Health discovered that a hospital employee was responsible for these fraudulent charges. To ensure that no other information had been breached, St. Francis Health performed an audit on the responsible employee.

Upon performing the audit, St. Francis Health discovered that the employee had accessed the patient information of approximately 1,997 individuals, according to a Greenville Online article. Between January 1, 2014 and August 12, 2015, the employee had accessed patient files she did not have permission to view, compromising several pieces of health information for affected individuals. This information includes patient names, dates of birth, driver’s license numbers, insurance information, clinical information, and potentially Social Security numbers.

Due to the employee’s illegal actions, St. Francis Health has contacted the authorities and the South Carolina Law Enforcement Division. Additionally, St. Francis Health has terminated the employee.

Furthermore, St. Francis Health reports that it will take several measures to ensure that an incident such as this will not occur again. For example, all employees will be required to take an additional training course educating them on proper handling of patient information, along with the mandatory course employees take annually.

“The training will remind our employees that inappropriate use, access or disclosure of patients’ information will result in serious consequences up to and including termination and, where applicable, the involvement of law enforcement,” St. Francis Health explained.

Additionally, St. Francis Health has distributed notification letters to all potentially affected individuals, and will be offering free credit monitoring services to those who apply.

St. Francis expressed deep sympathy for those potentially affected and stated that it regrets that this incident occurred.

“We deeply regret that this has happened. Bon Secours St. Francis takes its responsibility for protecting our patients’ personal information and using it in an appropriate manner very seriously,” the hospital said in a statement. “Please know that our employees work hard every day to provide excellent care to our patients. Words cannot express how deeply disappointed we are that this has occurred.”

Other healthcare providers have experienced similar incidents recently. In August, HealthITSecurity.com reported on a health data breach also caused by an internal theft.

Between February 2013 until June 2015, an employee at Merit Health Northwest Mississippi was stealing patient documents out of the hospital. Breached information included patient names, addresses, dates of birth, Social Security numbers, health plan numbers, and clinical information.

Merit Health suspended the responsible individual and terminated the former employee’s access to hospital buildings. Additionally, the hospital was reportedly cooperating with all law enforcement investigations into the incident.