PHI of up to 160,000 Med Center Health Patients Allegedly Stolen by Former Employee

The Kentucky-based 6-hospital health organization Med Center Health has reported a data violation affecting around 160,000 patients. Med Center Health believes a former staff member may have stolen patients’ protected health information (PHI) prior to leaving their role with the group.

The former staff member has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not accessed at any point.

The FBI has been advised and is also investigating along with other federal agencies. Med Center health is in the process of warning patients of the breach, although the process is predicted to take a couple of weeks due to the number of people that have been impacted.

While the breach has only recently been revealed, the data theft incidents date back to 2014 and 2015. The former employee is understood to have obtained an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no acceptable work reason for ePHI to have been taken, although on both occasions the former employee argued that the data was needed for work-related duties.

The Bowling Green Daily News suggests Med Center Health found the breach several months ago, although notifications were delayed for some time. A representative for Med Center Health told Bowling Green Daily News “Med Center Health informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”

Patients affected by the breach had received medical treatment at one of six Med Center Health facilities between 2011 and 2014: Cal Turner Rehab and Specialty Care, Medical Center EMS, the Commonwealth Regional Specialty Hospital, the Medical Center at Bowling Green, the Medical Center at Franklin and the Medical Center at Scottsville.

Patients affected by the breach have been offered one year of credit monitoring and identity theft protection services for free. Med Center Health has not found any evidence to suggest that any of the stolen information was used to commit fraud, although the possibility cannot miscounted.