TX: Employee with “retaliatory agenda” stole potentially 16,000 children’s medical records

HIPAA Journal reports:

An investigation conducted by Children’s Medical Clinics of East Texas has revealed a former employee took copies of children’s medical records and disclosed them to a third party. According to the breach report posted on the healthcare provider’s website, the privacy breach was caused by an individual with “a retaliatory agenda against the clinic.”

A Children’s Medical Clinics of East Texas employee was discovered to have removed business documents and taken them home, and failed to return them when requested to do so. It is not clear from the breach report when the incident occurred, but the decision was taken to report the matter to the police on August 10, 2015.

Read more on HIPAA Journal.

The full notice, written by their lawyers, follows:

Dear Parent/Guardian:

Children’s Medical Clinics of East Texas prides itself on its dedication to not only high quality medical care for your children, but also with federal and state compliance with the security and privacy of your medical records.

Recently, an employee of the clinic was found to have taken business documents home from the office and did not return them. The police were notified and a police report was filed by August 10, 2015. Thereafter, logs revealed the employee also improperly accessed patient health information by logging into patient records and providing a screenshot of patient records to an identified third party. This third party, who was a disgruntled ex- employee, appears to have a retaliatory agenda against the clinic. The employee has been terminated.

This firm has been retained to investigate the potential for a privacy breach regarding the improper access of records that contained confidential information such as Name, Date of Birth and PHI including diagnosis and treatment. At this time, there is no evidence the employee disclosed to others the information. We believe the employee engaged in these behaviors due to the likely retaliatory agenda stated above and not with any intent to harm patients. However, there is no way to narrow down which records were improperly accessed. Under HIPAA, this employee’s access was authorized and she had HIPAA training. However, once she became involved with forwarding information to a third party, her access was unauthorized. Therefore, the HIPAA privacy rules require that incidents be notified to you and reported to the regulatory agency, HHS.

If for any reason you feel that or become aware of harm to identity or reputation of these pediatric patients that may be related to this incident, credit monitoring may be offered. In addition, you may consider taking immediate steps to protect your identity as follows:

  1. Register fraud alert with 3 credit bureaus including Experian, TransUnion and Equifax;
  2. Monitor all accounts closely;
  3. Contact the local Consumer Protection Agency;

For additional information on consumer protection, access helpful web links such as

Children’s Medical Clinics of East Texas sincerely apologizes for any inconvenience and concern this incident has caused to you. In accordance with promulgated security measures, Children’s Medical Clinics is following a strict internal review process and upgrading all security systems in accordance with guidance provided by HHS including enhanced on-site security measures. Additional measures include a security watch, surveillance cameras, and more stringent HIPAA training.

If you receive any calls from anyone not associated with the clinic, or if you have any questions or concerns, please feel free to contact our office at 1-800-331-6844 between 8:30 am and 6:00 pm or by email to [email protected].

Diane K. Shaw, Attorney

About the author: Dissent

Comments are closed.