Possible Thievery of 4,500 Patients’ PHI BY Former Arkansas Kids’ Hospital Worker Being Reviewed

July 16, 2018


A former staff member of Arkansas Children’s Hospital is being probed by law authorities in connection to the thievery and abuse of patients’ PHI. The breach notification tendered to the Division of Health and Human Services’ Office for Civil Rights declared that the ex-staff member possibly got the PHI of up to 4,521 persons.

That individual was working at Arkansas Children’s Hospital for a duration of 15 months between November 7, 2016 and February 6, 2018. During that period the person was given access to PHI to carry out important jobs of the role.

On May 9, 2018, police warned Arkansas Children’s Hospital to make them conscious that a probe had been started over the probable thievery of patients’ Social Security numbers and private information and the incorrect use of that information for personal advantage.

Arkansas Children’s Hospital quickly started an inquiry to determine the range of information that might have been retrieved and whether patients’ PHI had been retrieved without sufficient consent. Although that internal inquiry disclosed the kinds of information that was possibly obtained, it was impossible to decide whether the information was retrieved for work reasons or other purposes.

Because of this, the occurrence has been dealt with as a data breach and all patients have now been made conscious of the possible thievery and incorrect use of their PHI. The kind of information that might have been thieved includes full names, descriptions of services received, charge figures, health insurance data, Social Security numbers, contact telephone details, addresses, dates of birth, and some clinical data.

As a protective measure because of possible identity thievery and scam, all 4,521 patients have been offered free credit checking and identity theft safety facilities for one year. Patients have been cautioned to check their credit reports, fiscal statements, and Explanation of Benefits statements for any indication of fake dealings.

The staff member has been dismissed and Arkansas Children’s Hospital has now put in place additional employing controls and has restrained its workers on internal policies and procedures and HIPAA Rules covering the retrieving of patient data.