932 Texas Kids’ Health Plan Members’ Protected Health Information Sent by e-mail to Private Account by Worker

The PHI of 932 associates of the Texas Kids’ Health Plan has been found to have been sent by e-mail to the private electronic mail account of a former worker.

The case was detected on September 21, 2017, even though the former worker emailed the files late last year between November and December 2016. The electronic mails were detected during a usual check.

Texas Kids’ Health Plan reacted to the breach quickly and has taken action to alleviate the danger. The health insurance scheme has also applied additional protections to avoid similar events from happening in the time to come and workers have been re-trained on HIPAA Laws and hospice policies.

Although the reason for the Protected Health Information being sent by e-mail to the private electronic mail account hasn’t been revealed, the breach statement uploaded to the insurance scheme website describes no proof has been found to indicate any plan member info has been used wrongly. Nevertheless, the incident has been informed to police.

As is needed by the HIPAA Breach Notice Law, the case has been informed to the Division of Health and Human Services’ OCR and all patients affected by the occurrence have been informed by post. Breach notice letters were posted to patients on Friday, October 27, well within the maximum limit permitted by the HIPAA Breach Notice Law.

The kinds of files included in the electronic mails differed for each patient, however usually included: Names, addresses, telephone numbers, Medicaid numbers, dates of birth, STAR kids manager’s name and group, waiver type, and information detailed in a financial plan spreadsheet. No fiscal info nor Social Security numbers were contained in the electronic mails, even though for a few of patients, the following info was also included: Medical diagnoses, medical record numbers, and medical information.

This kind of happening is comparatively usual. Many HIPAA-protected units have found similar cases recently. Oftentimes, Protected Health Information is taken to provide to a new company to enlist patients to a new practice and a few instances have seen Protected Health Information sent by e-mail to relatives and friends for help with data processing jobs. A few healthcare workers have thieved data with a purpose of performing fraud and identity theft.

HIPAA-protected units must be checking for PHI thievery through electronic mail. Ideally, restrictions must be put in place to avoid PHI from being sent by e-mail outside the business.