The protected health information of patients with mental and developmental disabilities at the Center for Health Care Services (CHCS) in San Antonio were stolen by a former employee. CHCS already sent breach notification letters to the 28,434 patients who got treatment at the center before the summer of 2016.
The data theft happened over 17 months ago but it was only discovered on November 7, 2017. A CHCS press release told about the termination of the former employee on May 31, 2016, after which he downloaded the data onto his personal laptop. Knowledge of the data theft only came about during a litigation case between CHCS and the former employee. The nature of the litigation has not been disclosed.
The stolen data included a wide range of information of adult and pediatric patients such as names, addresses, dates of birth, Social Security numbers, medical record numbers, dates and types of services, progress notes, referral information, medical diagnoses, prescribed medicines, treatment plans, laboratory results, toxicology reports, autopsy reports, death certificates, death summaries, discharge dates and collateral hospital information.
It is not known why the former employee stole the data. Although there is reason to believe that the information was used for malicious purposes. CHCS advised its patients though that the data had not been shared with unauthorized persons except the former employee’s lawyers. So, it is believed that the patients are at no risk with respect to the data theft and no action from the patients’ part is necessary as a result of the breach. If there are any situational changes, the patients will be informed.
The lawyers of CHCS are seeking a protective order to stop any further attempt at disclosure of information and to delete the stolen information as soon as the court permits. CHCS has also taken the extra measures to prevent similar breaches from happening in the future.