Potential theft of Arkansas Children’s Hospital patients’ PHI
A former Arkansas Children’s Hospital (ACH) employee is under investigation for misusing patients’ personal health information (PHI) for personal gain, according to an announcement from the hospital.
ACH reported the breach to OCR June 29 and stated that 4,521 individuals may have been affected by the unauthorized access/disclosure of electronic health records. The former employee worked for ACH from November 7, 2016, to February 6, 2018.
The hospital learned about the breach May 9 when an investigator from the Social Security Administration reached out to say that the former employee was under investigation for misusing information, including Social Security numbers, for personal gain, Fox 16 reported. Although ACH’s investigation did not confirm whether the former employee accessed information for business or personal reasons, it is possible he or she gained access to the following patient information:
- Names
- Social Security numbers
- Addresses
- Telephone numbers
- Dates of birth
- Insurance information
- Amounts charged
- Descriptions of services
- Clinical information
According to the hospital’s June 29 statement, “ACH completed an audit of all the accounts that had been viewed by the individual while employed by the hospital. The investigation could not definitively confirm whether the former employee accessed information for business purposes or otherwise.”
In addition to assisting law enforcement with the investigation, the hospital notified all the patients whose PHI may have been affected, including providing complimentary credit monitoring and identity protection. The hospital has added controls to its hiring process and is re-training current employees on accessing PHI to prevent future incidents.