Quite often we hear about data breaches, but we don’t always hear about the consequences. On February 17, Memphis, TN media sources ran articles about a man who was indicted on felony fraud charges. According to a Commercial Appeal newspaper article:
“Jeremy Jones is charged in a scheme to steal the identities of more than 145 patients of Memphis Neurology, car dealers and people he knew during 2011, 2012 and 2015, according to a news release.”
“The potential loss to the financial institutions is $1,660,587.30.” Of course we don’t know at this point what harm was caused to the bank account of patients. In a related article, Mr. Jones is alleged to have gotten the patient information from a former employee of the practice. No matter how you look at this, it’s a big mess, and a big problem for this practice.
How did all this happen? At this point we don’t know, and it’s not clear if we will ever know. This is a potential HIPAA violation of less than 500 patients. But there are a lot of unanswered questions here:
- Did the practice have HIPAA policies and procedures?
- Were the policies and procedures followed?
- Did the practice issue due care in checking on employee access to patient records?
- Did the practice adequately train all its employees?
Harm to Reputation
The practice will have to answer these questions. Let’s think about this from the practice’s standpoint. It has already suffered reputational harm. This was on Memphis TV, in all the newspapers and probably talked about in coffee shops and diners all over town. Will they lose patients? Will prospective patients stay away?
What about the $1.6 million? Whoever lost that money due to fraud is going to want it back. If the practice was negligent, they might have to pony up that money. And what about the legal fees in dealing with all of this? And the distraction to the practice administrators and the physicians?
There are lots of unanswered questions at this time. Here is another one. This is most probably a preventable issue; wouldn’t it be better if this had never happened?