Harris Health Patient Records Involved in 10-Year Insider Data Breach

Harris Health, based in Texas, recently began sending notifications to over 5,000 patients about the potential impermissible access to their electronic health records by a former staff member. The unauthorized access had been continuing for ten years before it was discovered.

Harris Health manages Lyndon B. Johnson Hospital and Ben Taub Hospital, and a system of 37 clinics, specialty locations, and health centers across Houston, Texas. Although notification letters are currently being sent to the impacted people, the unauthorized access was discovered on February 10, 2021. Harris Health launched an investigation to find out the scope of the ex-staff member’s HIPAA violation, with support given by a nationally certified digital forensics company. The investigation revealed unauthorized access to patient files between January 4, 2011 and March 8, 2021.

After verifying the access to patients’ health documents without any legitimate work reason, the employment contract of the staff member was terminated, and Harris Health notified the Federal Bureau of Investigation (FBI). Harris Health is helping with the investigation, which affirmed the employee’s disclosure of some patient data to unauthorized persons. Harris Health posted a substitute breach notice on its website, but it doesn’t mention the reason why the employee accessed the patients’ records or the intent of patient data disclosure.

Harris Health could not identify the exact patients who had their protected health information (PHI) disclosed to other people; therefore the provider sent notification letters to all individuals potentially affected by the impermissible data disclosure. Sending of the notification letters was delayed as requested by law enforcement in order not to obstruct the investigation. Although requesting to delay the notifications by law enforcement is not strange, a 4-year delay is atypically long. Usually, notifications are only slowed down for a couple of weeks or months.

Data possibly viewed and exposed consists of demographic data, including names, birth dates, addresses, email addresses, and phone numbers; medical record numbers, clinical data, including diagnoses, medical background, prescription drugs, immunizations, provider names, and dates of service; medical insurance data, and, for some people, Social Security numbers. Those who had their Social Security numbers affected were provided free credit monitoring and identity theft protection services.

All people likely impacted by the data breach were instructed to keep track of their explanation of benefits statements. Should there be any suspicious transactions, they should report them to their health insurance company. Harris Health stated it is offering more HIPAA training to the employees regarding the value of securing patient privacy, and implementing more tools to enable proactive tracking of staff access to patient files, and give improved auditing capabilities so that Harris Health can recognize unauthorized access faster down the road.

With HIPAA, all workers must be given unique logins to track their access to and activities using patient data. Records must be taken care of to support inspections of unauthorized access to patient files, and those records must be routinely assessed. Routine reviews of access records will limit the problems caused in case of impermissible access to patient files by employees. HIPAA-regulated entities must also make sure they offer HIPAA training to their workers during onboarding, and yearly refresher training classes to review employees’ responsibilities as required by HIPAA and the value of securing patient privacy.