What's one of the worst things that can happen when a company doesn't shut off a former employee's access to protected health information? That former employee might just email herself that information--then refuse to give it back.
Children's Healthcare of Atlanta is suing Sharon McCray, former corporate audit advisor, claiming she stole protected health information (PHI) after announcing she was quitting on Oct. 16, the Atlanta Business Chronicle reports.
According to the article, Children's claims in its complaint that on Oct. 18--just two days after McCray announced she was leaving the hospital--it discovered that she had emailed to her personal email account the protected information belonging to the hospital, including "the PHI ... of children, DEA numbers, health provider license numbers for over 500 healthcare providers, confidential and attorney-client privileged communications, financial information, internal and external audits, and additional confidential and proprietary information belonging to Children's Healthcare."
During a meeting on Oct. 21, McCray admitted emailing the information to her personal email account, according to the article. She said she did it so she could use the PHI "as backup records for her new employment with an unidentified employer to use as a reference."
In correspondence between the hospital and McCray, she writes in an Oct. 22 email that she only sent the information to herself so she could "complete [her] job functions from home through the end of [her] employment." Children's claims it cut off access to her email and put her on a paid leave of absence on Oct. 21.
McCray's email also states that she would decide for herself "which documents fit within confidential and privileged communications, financial information, internal and external audits and patient information." But she asked the hospital for extra time to do so--and also asked which documents she needed to return.
The hospital replied on Oct. 22 that it was "surprised and disappointed" with her response, and that she had no right to keep any of the information. With that letter, the hospital terminated her employment immediately and warned her of the impending legal action.
As of Oct. 25, McCray still had not returned or destroyed the information, according to the hospital's complaint.
Meanwhile, data breaches aren't slowing down anywhere. Clinical Innovation and Technology reported Monday that an unsecured email put the PHI of 1,310 at risk at CaroMont Health in Gastonia, N.C. , including patient names, date of birth, addresses, telephone numbers, medical record numbers, diagnoses, last data of service, medications and insurance company names.
And Healthcare Informatics reported that Allina Health in Minneapolis notified 3,000 patients Monday of a security breach when a medical assistant unnecessarily viewed PHI at a clinic.
To learn more:
- read the article in the Atlanta Business Journal
- here's McCray's email to Children's Hospital of Atlanta
- check out the hospital's response and termination of McCray
- read the Clinical Innovation and Technology article
- here's the Healthcare Informatics article
Info for 57,000 patients at risk after laptop stolen from Lucile Packard
Hospital appeals $250K data breach penalty
Thefts at Stanford, Oregon hospitals jeopardize patient info for nearly 17k
Lost USB drive compromises info for Medicaid recipients
Health department breach impacts 24K Medicaid patients