Arkansas Children’s Hospital Employee Terminated For PHI Theft Involvement

Law enforcement is investigating a former employee of Arkansas Children’s Hospital for being involved in the theft and misuse of the protected health information (PHI) of patients. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of up to 4,521 patients had been potentially been copied by the former employee.

From November 7, 2016 to February 6, 2018, the employee worked at Arkansas Children’s Hospital and during those 15 months was was provided access to PHI in order to perform work duties. Arkansas Children’s Hospital was notified by law enforcement on May 9, 2018 that an investigation was being conducted over the possible theft of Social Security numbers and the personal information of patients and misuse of PHI for personal gain.

When Arkansas Children’s Hospital learned of the possible security breach an investigation was launched to determine the types of patient information that were potentially accessed by the employee and whether health data was accessed without authorization. The hospital’s internal investigation could not determine whether which patients’ PHI had been accessed for work reasons and which had been been improperly accessed.

Notification letters have been sent to all patients whose PHI was possibly stolen. The types of information potentially accessed included names, birth dates, addresses, telephone numbers, some clinical data, health insurance details, description of services received, charge amounts and Social Security numbers.

Because of the nature of the data breach, Arkansas Children’s Hospital offered all patients affected by the breach free credit monitoring and identity theft protection services for one year. As a safety precaution, it was recommended that patients check their financial statements, credit reports and Explanation of Benefits statements and pay attention to any sign of suspicious activity.

The employee involved in the breach has been terminated and Arkansas Children’s Hospital is currently implementing stricter checks when hiring new staff. Employees have undergone extra training to make sure they are aware of the hospital’s internal policies and procedures and HIPAA Rules on patient privacy.