Former CVS Employee Steals PHI of 54K Molina Healthcare Members

A former employee of CVS, an Over-the-Counter benefits vendor contracted by Molina Healthcare, has been discovered to have stolen the Protected Health Information (PHI) of 54,203 current and former members of Molina Medicare Options Plus HMO SNP.

The unnamed employee emailed data from a work computer to a personal email account on March 26, 2015, and while no evidence has yet been uncovered to suggest that data have already been used to make fraudulent claims, affected members do face an increased risk of suffering identity, insurance and medical fraud.

According to the breach notification letter issued by Molina Healthcare, the information contained in the emailed file included patients’ full names, CVS ID numbers, CVS ExtraCare Health Card numbers, Rx Plan numbers, Rx Plan State, Plan start and end dates, and Member ID numbers. No financial information or Social Security numbers were exposed in the security breach.

Members have been offered credit monitoring services for a year without charge, and have been informed to place alerts on their credit files to protect against fraudulent use of their data. They have also been advised to keep a close eye on their credit, and to obtain credit reports every three months for the next 12 months.

Under the HIPAA Privacy Rule, patients can request copies of their medical records from their healthcare providers. Molina Healthcare has suggested that all affected plan members do this as an additional protection against medical fraud, as well as obtain a copy of any health insurance claims that have been made against their Molina Healthcare insurance policy. Affected (current) plan members will also be issued with new CVS ExtraCare Health cards.

Molina Healthcare Data Breach Highlights Importance of Monitoring for Employee Data Theft

Efforts can be made to protect computer networks from malicious outsiders, but protecting PHI from malicious insiders is more difficult. It is not possible to provide members of staff with access to systems containing PHI without introducing some risk of data being inappropriately accessed and copied.

It is therefore essential for HIPAA-covered entities to monitor staff email accounts and conduct regular audits to check for employee data theft. Ideally, a system should be introduced to restrict information that can be sent outside of an organization’s computer network.

Employee theft of PHI may not always be preventable, but it is possible to rapidly identify data theft when it does occur. When theft is identified rapidly, the risk of data being used for fraudulent purposes can be mitigated quickly.

According to the breach notice issued by Molina Healthcare, CVS responded quickly once it became aware of the breach and took steps to reduce the risk to members. Molina Healthcare was alerted to the theft of PHI on July 20, 2015. CVS discovered the data theft 4 months after it had occurred and Molina Healthcare then waited a further two months – as permitted by HIPAA Rules – to issue breach notifications letters to affected plan members.

HIPAA Rules allow covered entities up to 60 days to issue breach notification letters following a data breach, to give the covered entity time to conduct an investigation, but HIPAA also says that notification letters should be issued without unreasonable delay.

It is not clear why it took so long for CVS to identify the security breach, nor why Molina Healthcare deemed it necessary to wait two months to notify affected members.

Healthcare Data Theft Carries Still Penalties

Employees are the weakest link in the security chain, and while the vast majority of healthcare workers respect the privacy of patients, recent months have seen a spate of employee data thefts uncovered.

Funds and medical services can be fraudulently obtained with patient and plan member data, but employees discovered to have stolen PHI face stiff penalties for healthcare data theft. Jail terms of up to 10 years are possible, with a further 2 years tacked onto the sentence for aggravated identity theft. The Department of Justice appears keen to make an example of healthcare data thieves, and long terms of incarceration can be expected.

Leave a Comment