Potential Theft of 4,500 Patients’ PHI BY Former Arkansas Children’s Hospital Employee Being Reviewed

by | Jul 16, 2018

A former staff member of Arkansas Children’s Hospital is being investigated by law authorities in relation to the theft and misuse of patients’ protected health information. The breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights stated that the former staff member potentially obtained the PHI of up to 4,521 individuals.

That person was working at Arkansas Children’s Hospital for a period of 15 months between November 7, 2016 and February 6, 2018. During that duration the individual was given access to patient health information to perform vital functions of the role.

On May 9, 2018, law enforcement alerted Arkansas Children’s Hospital to make them aware that an investigation had been initiated over the possible theft of patients’ Social Security numbers and personal information and the improper use of that information for personal profit.

Arkansas Children’s Hospital swiftly launched an investigation to deduce the range of information that may have been accessed and whether patients’ PHI had been accessed without adequate permission. While that internal investigation revealed the types of information that was potentially obtained, it was not possible to determine whether the information was accessed for work reasons or other aims.

Due to this, the incident has been dealt with as a data breach and all patients have now been made aware of the possible theft and improper use of their PHI. The sort of information that may have been stolen includes full names, dates of birth, addresses, contact telephone details, Social Security numbers, health insurance data, charge figures, descriptions of services received and some clinical data.

As a precautionary measure due to possible identity theft and fraud, all 4,521 patients have been offered free credit monitoring and identity theft protection services for one year. Patients have been warned to review their credit reports, financial statements, and Explanation of Benefits statements for any sign of fraudulent transactions.

The staff member has been fired and Arkansas Children’s Hospital has now put in place additional hiring controls and has retrained its employees on internal policies and processes and HIPAA Rules covering the accessing of patient data.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy