Healthcare Employees Stole Patients’ PHI to Take to New Employers

ONC Published a New Patient Guidebook to Encourage Patient Health Record Access

Former employees of two HIPAA-covered entities accessed and stole patients’ protected health information (PHI) and took the information to their new employers.

Hair Free Forever is a permanent hair removal treatment provider in Ventura, CA. A former employee of the company was discovered to have stolen patient information and contacted the patients to try to get them to visit her new place of work. Hair Free Forever uses Thermolysis for permanent hair removal treatment, which is considered a medical procedure. Therefore, the company and its employees need to comply with HIPAA Rules.

Hair Free Forever already notified the California attorney general regarding the data breach. Company spokesperson Cheryl Conway also informed patients regarding the data breach. The data theft actually became known to the company only after receiving complaints from customers that the former employee had been contacting them.

When the security breach was investigated, it was discovered that the information the employee took included patients’ names, contact numbers, birth dates, medical histories, mental and physical conditions, diagnoses, treatment details, doctors’ names, medications, and intimate personal photos. Hair Free Forever has now taken steps to secure the PHI that was taken.

This breach incident has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, so there’s no exact information on the number of patients affected. A complaint was submitted by Hair Free Forever to OCR regarding the HIPAA violation, although it is unclear whether any action will be taken over the privacy violation.

A similar breach incident happened at an independent physicians’ association based in Walnut Creek, CA. Muir Medical Group IPA disclosed the breach in late May, although the incident has only recently appeared on the OCR breach portal. A former employee of Muir Medical Group stole the PHI of 5,484 patients and provided that information to a new employer.

The data breach was discovered on March 7 and Muir Medical Group hired a third-party computer forensics firm to investigate the incident. The investigation revealed the former employee took the information including names, phone numbers, addresses, test results, diagnoses, treatment details, medications and Social Security numbers. Patients affected had received treatment between November 2013 and February 2017. Muir Medical Group has offered all affected patients free credit monitoring services for one year.