10-year insider breach at Harris Health exposes patient records

More than 5,000 patients are being notified after a former employee accessed medical records without authorization for over a decade.

What happened

According to DataBreaches.net, Harris Health, a healthcare system in Houston, Texas, is notifying over 5,000 patients that their medical records may have been accessed inappropriately by a former employee over a 10-year period. The unauthorized access began on January 4, 2011, and continued until March 8, 2021, before being discovered in February 2021.

Following the discovery, Harris Health launched an internal investigation with support from a digital forensics firm. The investigation confirmed that the employee accessed patient records without a legitimate work-related reason and, in some cases, disclosed this information to unauthorized individuals.

Going deeper

Harris Health oversees Ben Taub Hospital, Lyndon B. Johnson Hospital, and 37 clinics and specialty centers throughout Houston. Due to the scope of access, the health system could not determine which individuals’ information had been shared, so notifications are being sent to everyone whose data may have been involved.

The breach notice explains that law enforcement delayed public notification for nearly four years to avoid interfering with the ongoing investigation, a longer delay than is typical. The FBI has been involved, and the employee responsible has been terminated.

The accessed data includes names, dates of birth, addresses, phone numbers, medical records, diagnoses, provider details, medications, immunizations, and in some cases, Social Security numbers. Affected individuals with SSNs involved have been offered free credit monitoring and identity theft protection.

What was said

Harris Health stressed that it has implemented stronger auditing tools and now provides additional privacy training for employees. The health system is also urging patients to monitor explanation of benefits statements and to report any unusual activity to their health insurance providers.

The organization reiterated its commitment to HIPAA compliance, including the use of unique employee logins, regular access log reviews, and annual privacy training to detect and prevent similar incidents in the future.

The big picture

According to Bank Info Security, regulators have stepped up enforcement against insider-related HIPAA violations, issuing multimillion-dollar penalties for failures to monitor or restrict access to patient records. The U.S. Department of Health and Human Services (HHS) recently fined Gulf Coast Pain Consultants $1.9 million after a contractor accessed electronic health records to commit Medicare fraud, and BayCare Health System agreed to an $800,000 settlement following a malicious insider incident involving leaked patient records. Experts warned that insider breaches often stem from weak access controls, poor training, and “shortcuts” in managing user permissions. As one expert noted, “regular audits, user training, and having clear policies on access limitations are key practices that should be pervasive across covered entities.”

FAQs

Why was the patient notification delayed for so long?

Law enforcement, including the FBI, requested a delay to avoid compromising the investigation. While such delays are common, the nearly four-year period in this case is unusually long.

How can patients know if their information was misused?

Since specific disclosures could not be confirmed, affected individuals should watch for unexpected activity on their health insurance accounts or explanation of benefits statements and report anything suspicious.

What systems are in place to detect insider breaches like this?

HIPAA requires the use of unique employee logins and audit logs to track record access. Regularly reviewing these logs can help identify inappropriate access sooner.

Is Harris Health legally required to provide credit monitoring?

Not in all cases, but because Social Security numbers were involved for some individuals, Harris Health is offering complimentary credit monitoring and identity protection to those affected.

What can other healthcare organizations learn from this breach?

Regular audits, timely log reviews, continuous staff training, and proactive monitoring tools are needed for identifying and stopping unauthorized access, especially from insiders.