Paul Hampel reports:
St. Louis County officials are investigating a violation of federal health privacy law involving a health department employee who allegedly mishandled email information of inmates at the county jail.
The county said the employee emailed a document to the employee’s personal account containing names and social security numbers of some inmates from 2008 through last year.
The action violates the federal Health Insurance Portability and Accountability Act (HIPAA).
The county did not identify the employee, who has been fired.
Read more on St. Louis Post-Dispatch.
The media report does not name the facility whose inmates were impacted, but the St. Louis County Department of Health has posted a notice on its web site that does name it:
Information about HIPAA Violation
St. Louis County has learned that some personal information belonging to inmates was handled inappropriately at the St. Louis County’s Buzz Westfall Justice Center. Specifically, on November 18, 2014, it was discovered that a health department employee had e-mailed a document containing the names and social security numbers of inmates incarcerated from 2008 to 2014 to a personal e-mail account belonging to that same employee. Although no one other than that county employee is known to have had access to the information in that document, the action still constitutes a breach of federal law – specifically, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
St. Louis County has notified the appropriate federal and local authorities of the violation and the person who handled the information inappropriately is no longer employed by St. Louis County. That former employee has stated she would cooperate fully throughout the investigation and St. Louis County has instructed her to immediately delete the document in question.
Again, there is no indication that anyone other than that former employee has had access to the information. Regardless, St. Louis County is strongly committed to patient privacy. It is something we take very seriously. Even though there is no indication that there was any intent to use the information to commit fraud, it is important to make sure that those potentially affected are fully aware of the violation that occurred and fully aware of the steps they are advised to take at this point. If you believe yourself to be one of those individuals included in the breach, you are advised to take the following steps:
- Call the toll-free numbers of any of the three major credit bureaus (listed below) to request a fraud alert notice on your credit report. This can help prevent a thief from opening additional accounts in your name. As soon as the credit bureau confirms your request, the other two credit bureaus will automatically be notified to place alerts on your credit report. All three bureaus will provide you a copy of your credit report free of charge.
TransUnion: (800) 680-7289 (888-909-8872 for freeze); http://www.transunion.com/personal-credit/credit-disputes/fraud-alerts.page; TransUnion Fraud Victim Assistance Department, P.O. Box 2000, Chester, PA 19022-2000. General: (800) 680-7289; www.transunion.com; P.O. Box 2000, Chester, PA 19022-2000.
- Order a copy of your credit reports every year. When you receive the reports, examine them closely and look for signs of fraud, such as credit accounts that are not yours. You can obtain a free copy of your credit report from each of the three major credit reporting agencies once every twelve months by visiting www.AnnualCreditReport.com, by calling 1-877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
- Continue to monitor your credit reports for fraudulent activity. Even though a fraud alert has been placed on your account, you should continue to monitor the reports to ensure an imposter has not opened an account in your name. If you discover any suspicious or unusual activity on your accounts or you suspect fraud, be sure to report it immediately to your financial institutions and to local law enforcement. Additionally the Federal Trade Commission (FTC) provides comprehensive information at www.FTC.gov/I, or call the FTC’s identity theft clearing house at 1-877-438-4338 (TTY: 1-866-653-4261), or write to the Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580-0001.
Should you have any questions or concerns about this HIPAA violation, please feel free to contact the health department at 1-844-615-2047.