200K HIPAA Covered Records Exposed by ‘Curious’ Staff Members

The Early Learning Coalition of Palm Beach County has revealed that a now departed member of staff has inappropriately accessed a database containing the medical records of up to 230,000 patients.

The database included personal information of parents and children who have attended centers or received services from the group. The affected people are thought to be those having received school readiness services or taken part in the Voluntary Prekindergarten Education Program according to a statement released by the ELC.

The unauthorized access happened at the Belle Glade office of Family Central Inc. and has been confirmed as having affected 37 patients, although the matter is still under review and the final number of victims is not yet known. The data that may have been accessed included personal information such as names and contact details, and almost half of the records in the database included Social Security numbers.

The former member of staff, who was not named in the statement, “accessed the database in an unauthorized manner in order to obtain the personal information, including social security numbers, of individuals contained in the database,” according to the ELC. The statement revealed that the individual was no longer employed at the facility.

The breach is thought to have been small and the people confirmed as having been affected have been notified by email, although all persons who have previously received services from the ELC have been warned to closely monitor their credit as a precaution and to enroll for free credit alerts with one of the three major credit agencies.

An internal review is still underway and law enforcement officers have been told about the inappropriate data access. In reaction to the security breach the ELC reported that it has changed its policies to enhance data security and is restricting access to patient data. Security training will be given to staff to ensure they are aware of the company policies and their responsibilities under HIPAA.

It may behard to determine the total number of records that were accessed if an adequate monitoring system was not in place to log access to the information, with the OCR may consider a HIPAA violation. Under HIPAA regulations, a body or group required to store or use Protected Health Information must ensure the appropriate physical, administrative and technical safeguards are put in place to secure health data. Even in instances where only a small number of records have been exposed, fines can be issued for placing the entire database at risk and can lead to major financial penalties being applied.