CHCS Employee Believed to Have Stolen PHI of 28,000 Subscribers

by Ryan Coyne | Dec 9, 2017

A provider of mental health treatment and support services for individuals with intellectual and developmental disabilities, Center for Health Care Services (CHCS), has foudn that documents containing the protected health information of patients have been illegally taken by a former member of staff.

Breach notification letters have been issued to 28,434 patients who received services at San Antonio-based CHCS prior to the summer of 2016 telling them of the breach.

The breach was only found on November 7, 2017, but the data theft happened more than 17 months ago. The former member of staff was terminated on May 31, 2016, with the data downloaded onto a personal computer after they were fired, according to a recent CHCS announcement.

The breach was found during discovery in a litigation case between the former member of staff and CHCS. No details have been made public about the nature of the litigation.

The stolen documents included a wide range of highly sensitive information on patients, including adults and children. Names, dates of birth, addresses, Social Security numbers, dates and types of services, medical details, referral information, progress notes, medical diagnoses, medications prescribed, treatment plans, laboratory and toxicology reports, death certificates, autopsy reports, discharge dates, death summaries and collateral hospital information were among the data taken.

The driving factor for the former employee taking the data is unclear, although it does not appear that the information has been used for malicious aims. CHCS believes the data has not been shared with any unauthorized people, other than the former employee’s attorneys. CHCS attorneys have also reportedly took a copy of the data.

According to the CHCS news release, patients are not believed to be at risk and there are no actions that need to be taken by patients as a result of the breach. Patients will be informed if the situation changes.

A CHCS statement said, “Attorneys for CHCS are seeking a protective order to prevent further disclosure of the information, and to verify deletion of the information as soon as the court permits.”

CHCS is also taking measures to ensure security is enhanced to stop future breaches of this nature from happening.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter