Little Rock Plastic Surgery (LRPS) is in the process of notifying patients of a data security incident which saw a former employee illegally access the protected health information (PHI) of several patients.
LRPS, based in Arkansas, released a statement earlier this month detailing the incident. According to the statement, the organization discovered the breach on July 15, 2019. It was revealed that a former nurse at the clinic had accessed patients information without the correct authorization to do so, an act which constitutes a significant violation of the HIPAA Privacy Rule.
The nurse went on to download and remove reports, photos, and other patient care and treatment information. The nurse also accessed the clinic’s vendor accounts to obtain appointment and further treatment information.
The nurse’s contract was terminated, and LRPS reported the incident to the Arkansas State Board of Nursing and the Arkansas Attorney General’s Office.
Following HIPAA’s Breach Notification Rule, LRPS also reported the incident to the Department of Health and Human Services’ Office for Civil Rights. All patients identified as being affected by the incident have been sent breach notification letters by mail.
In their statement, LRPS said the nurse acted of her own accord ‘without the knowledge or consent” of Little Rock Plastic Surgery, its patients, and was in violation of company policies’.
LRPS have taken steps to ensure the stolen information stolen has been returned to the clinic or destroyed.
It is currently unknown how many patients were affected by the incident.
LRPS has not commented on the nurse’s motivations to steal the patient information, although it is likely she intended to commit fraud or sell the data on to others for malicious purposes. This incident highlights that even though large-scale data security incidents receive a great deal of press coverage, smaller, ‘internal’ breaches must not be overlooked.