Jackson Health System Second Experience of a 5-Year Insider Data Breach

June 15, 2025HIPAA News0

Jackson Health System recently reported an insider data breach and theft of the protected health information (PHI) of over 2,000 individuals. The press release on June 6, 2025 stated that a trusted employee used his position to view patient data wrongly.

The employee accessed and stole data, including names, dates of birth, addresses, clinical data, and medical record numbers. The employee used the information to advertise a personal healthcare enterprise. Jackson Health System mentioned terminating the employee right away upon confirmation of the HIPAA violation. It is also working with the authorities to look into probable criminal HIPAA violations.

The breach notice did not mention how Jackson Health System discovered the unauthorized access, whether it was flagged by an internal review of access logs or whether patients filed complaints after the employee contacted them about his personal health enterprise. Jackson Health explained its internal investigation affirmed that the unauthorized access happened from July 2020 to May 2025, meaning that for five years, it happened without being noticed.

It might not be possible to stop all insider data breaches, however, it helps to enforce guidelines and procedures to make sure they are quickly recognized when they do happen. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must routinely evaluate activity logs in data systems with electronic protected health information (ePHI). This audit of access logs can help discover insider breaches. HIPAA doesn’t say the frequency of audits to be done, but a review every five years certainly would not satisfy the HIPAA requirement.

Moreover, this is not Jackson Health System’s first time experiencing unauthorized access to patient data by an employee. The company reported in 2016 an unauthorized access incident affecting the ePHI of 24,188 patients. Jackson Health System likewise did not detect the unauthorized access incident for five years. According to the breach report, the health system implemented a new data security program to detect insider data breaches quickly and more easily.

The HHS’ Office for Civil Rights investigated Jackson Health System because of the insider incident and confirmed that the health system violated several provisions of the HIPAA Privacy, Security, and Breach Notification Law. In 2019, OCR issued a $2.15 million financial penalty to Jackson Health System to settle the alleged HIPAA violations. Then OCR Director Roger Severino reported that Jackson Health System’s HIPAA compliance program was in disarray for several years. The health system’s HIPAA violations included the inability to audit logs in data systems that store ePHI regularly.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.