Incident Details
A former vice president of Commonwealth Health Corporation, Mark Kevin Robison, has recently been sentenced to 2 years of probation and required to compensate $140,000 for restitution following a plea deal reached with federal prosecutors regarding a breach of HIPAA rules. Robison admitted to unlawfully revealing patients' protected health information from Commonwealth Health Corporation (CHC) to an unauthorized third party between 2014 and 2015 without the patients' or CHC's consent. During his tenure as the Vice President of CHC, Robison employed Randy Dobson as a vendor for patient account collection. Together, in 2011, Robison and Dobson established OPTA LLC, a company in Kentucky with the intention of creating and selling a software solution to healthcare providers. Despite the dissolution of OPTA Kentucky in 2014, a similar entity called Delaware OPTA was formed that year, with Dobson being the sole proprietor. Robison aimed to benefit financially from this software after leaving CHC. In 2014, Robison directed the CHC IT department to share patient data with Dobson for testing the software without proper authorization from CHC or the affected patients, a practice that extended from 2014 to 2015.
Incident
How Did the Breach Happen?
Between 2014 and 2015, Mark Kevin Robison, who was once a vice president at Commonwealth Health Corporation (now known as Med Center Health) in Kentucky, intentionally shared patients' protected health information with an unauthorized third party without proper consent. Neither the patients nor CHC had given him permission to release the records.
What Data has been Compromised?
The security breach resulted in the exposure of sensitive medical data belonging to patients of Commonwealth Health Corporation (CHC).
Why Did the company's Security Measures Fail?
Mark Kevin Robison, a former CHC vice president, deliberately shared patients' protected health information without permission and under false pretenses, causing the company's security measures to be compromised.
What Immediate Impact Did the Breach Have on the company?
The breach resulted in the immediate infringement of patient privacy, potentially damaging the reputation and trust of Commonwealth Health Corporation (CHC).
How could this have been prevented?
The breach could have been avoided by enforcing more stringent access controls and monitoring mechanisms to identify unauthorized sharing of patient data. Furthermore, offering adequate training and education on HIPAA laws and the penalties for non-compliance could have played a role in averting similar occurrences.
What have we learned from this data breach?
The significance of upholding stringent security measures and ensuring that individuals handling sensitive data strictly adhere to legal and ethical norms is underscored by this breach. It also underscores the importance of continuous training and supervision to mitigate risks posed by insiders.
Summary of Coverage
Mark Kevin Robison, previously a vice president at Commonwealth Health Corporation (now known as Med Center Health), has been placed on 2 years of probation and has been instructed to provide $140,000 in reimbursement for unlawfully revealing patients' protected health data. The incident took place from 2014 to 2015 and endangered the confidentiality of patients at Commonwealth Health Corporation. Improved access controls, monitoring systems, and adequate training on HIPAA regulations could have averted this breach.