A list of 16,440 Kentucky Counseling Center (KCC) patients was stolen and shared with another person. The person responsible is believed to have been an then current employee of KCC who accessed and copied the patient data without authorization. The employee uploaded the information to an anonymous file sharing site and then sent a link to the list to a former employee of KCC. Upon discovery that patient data had been shared, the former employee reported the privacy violation to KCC on January 6, 2019.
KCC conducted an investigation of the breach to determine who was responsible. KCC believes that an employee downloaded the list on December 6, 2018. That individual is no longer employed by the Counseling Center.
The reason why the list was downloaded and uploaded to the file sharing website is unknown, and neither why that information was shared with a former employee. KCC mentioned in its breach notification letter that it is unlikely that patient data was taken with intent to harm patients.
Nevertheless, because of the sensitive nature of patient data included in the stolen list, KCC decided to offer affected patients 12 months of credit monitoring services without charge. The patients’ information that was included in the list differed from one patient to another and may have contained full names, birth dates, addresses, telephone numbers, gender, marital status, Social Security numbers, employment status, insurance providers, insurance numbers, last and next consultation dates, and KCC physicians’ names.
KCC has now implemented additional safety measures on its computer system and now uses stronger passwords and multi-factor authentication. There is no mention in the KCC breach notice about whether former employee who is alleged to have stolen the patient list was fired over the privacy violation, nor whether that individual was reported to law enforcement.