Arkansas Children’s Hospital Employee Terminated For PHI Theft Involvement

Law enforcement is investigating a former employee of Arkansas Children’s Hospital for being involved in the theft and misuse of the protected health information (PHI) of patients. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of up to 4,521 patients had been potentially been copied by the former employee.

From November 7, 2016 to February 6, 2018, the employee worked at Arkansas Children’s Hospital and during those 15 months was was provided access to PHI in order to perform work duties. Arkansas Children’s Hospital was notified by law enforcement on May 9, 2018 that an investigation was being conducted over the possible theft of Social Security numbers and the personal information of patients and misuse of PHI for personal gain.

When Arkansas Children’s Hospital learned of the possible security breach an investigation was launched to determine the types of patient information that were potentially accessed by the employee and whether health data was accessed without authorization. The hospital’s internal investigation could not determine whether which patients’ PHI had been accessed for work reasons and which had been been improperly accessed.

Notification letters have been sent to all patients whose PHI was possibly stolen. The types of information potentially accessed included names, birth dates, addresses, telephone numbers, some clinical data, health insurance details, description of services received, charge amounts and Social Security numbers.

Because of the nature of the data breach, Arkansas Children’s Hospital offered all patients affected by the breach free credit monitoring and identity theft protection services for one year. As a safety precaution, it was recommended that patients check their financial statements, credit reports and Explanation of Benefits statements and pay attention to any sign of suspicious activity.

The employee involved in the breach has been terminated and Arkansas Children’s Hospital is currently implementing stricter checks when hiring new staff. Employees have undergone extra training to make sure they are aware of the hospital’s internal policies and procedures and HIPAA Rules on patient privacy.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: