Potential Theft of 4,500 Patients’ PHI BY Former Arkansas Children’s Hospital Employee Being Reviewed

A former staff member of Arkansas Children’s Hospital is being investigated by law authorities in relation to the theft and misuse of patients’ protected health information. The breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights stated that the former staff member potentially obtained the PHI of up to 4,521 individuals.

That person was working at Arkansas Children’s Hospital for a period of 15 months between November 7, 2016 and February 6, 2018. During that duration the individual was given access to patient health information to perform vital functions of the role.

On May 9, 2018, law enforcement alerted Arkansas Children’s Hospital to make them aware that an investigation had been initiated over the possible theft of patients’ Social Security numbers and personal information and the improper use of that information for personal profit.

Arkansas Children’s Hospital swiftly launched an investigation to deduce the range of information that may have been accessed and whether patients’ PHI had been accessed without adequate permission. While that internal investigation revealed the types of information that was potentially obtained, it was not possible to determine whether the information was accessed for work reasons or other aims.

Due to this, the incident has been dealt with as a data breach and all patients have now been made aware of the possible theft and improper use of their PHI. The sort of information that may have been stolen includes full names, dates of birth, addresses, contact telephone details, Social Security numbers, health insurance data, charge figures, descriptions of services received and some clinical data.

As a precautionary measure due to possible identity theft and fraud, all 4,521 patients have been offered free credit monitoring and identity theft protection services for one year. Patients have been warned to review their credit reports, financial statements, and Explanation of Benefits statements for any sign of fraudulent transactions.

The staff member has been fired and Arkansas Children’s Hospital has now put in place additional hiring controls and has retrained its employees on internal policies and processes and HIPAA Rules covering the accessing of patient data.