The Neurology Foundation located in Providence, RI found out that one of its employees used the company’s credit card for unauthorized spending. According to the investigation, the employee copied and deleted a selection of patients’ sensitive data from the company. The former employee violated the policies of the Neurology Foundation by making a digital copy of patient data in an external hard drive, which the employee kept in his home.
The Neurology Foundation found out the employee made a duplication of data onto a hard drive on the same day of his exit job interview on May 3, 2017. That information prompted the Foundation to have a computer forensics company to investigate the activities of the employee and find out what data the employee copied to the portable storage device and how many patients were affected by his action. The investigation showed that the ex-employee had violated company policies by duplicating sensitive information onto his/her computer and zip drives.
The data duplicated to the portable storage device contained the patients’ names, telephone numbers, addresses, birth dates, email addresses, medical insurance policy numbers, healthcare record numbers, diagnoses, specifics of treatments and prescribed medicines, bank account numbers, Social Security numbers, patients’ nationality and gender. Although the information was possibly misused, the Neurology Foundation found no proof of such misuse. The investigators recovered the portable hard drive and secured the data contained.
The unauthorized purchases using the credit card were only found out in April. The HIPAA breach was just discovered in May, and so, patients were just recently informed about the compromise of their protected health information (PHI).
The delay of breach notifications is a violation of the HIPAA Rules. Buy in some instances, the breach notifications to patients, the state and federal government may be delayed upon the request of law enforcement so as not to get in the way of a criminal investigation. In this case, law enforcement asked for a delay of notification during the conduct of investigation. Since the request to delay notification already lapsed, the respective entities had been notified.
All patients affected by the breach were provided one year of credit monitoring services for free and were told to be watchful of possible identity theft and fraud. The breach was reported to the proper authorities, though the number of patients affected by the breach is presently uncertain.