Douglas County Health and Human Services in Wisconsin recently notified patients about an incident involving unauthorized access to their protected health information (PHI) by a former employee. The breach was identified in May 2024, following an internal investigation that determined an employee had accessed PHI without proper authorization. While the department stated there was no evidence that the information was shared or used for malicious purposes, the violation of patient privacy has raised concerns about the effectiveness of internal controls.
The investigation, led by the Superior Police Department in Wisconsin, confirmed that the employee accessed patient records without a legitimate reason. Despite the breach, no criminal charges were filed, and the investigation concluded that the information was likely not disseminated beyond the individual responsible. However, the department has not provided specific details about the motivation behind the employee’s actions or how long the unauthorized access continued before it was detected.
In response to the breach, Douglas County Health and Human Services sent notification letters to 316 affected patients, informing them of the incident. The department has not disclosed the total number of individuals whose data was accessed but has indicated that it could be higher due to incomplete contact information for some patients. The breach was first detected more than 18 months after the employee’s actions began, raising questions about the department’s monitoring practices and whether additional security measures will be implemented.
Although the department has not yet shared whether it has deployed specific software to detect improper employee access, the incident underscores the need for stronger security protocols to protect sensitive patient data. As the county continues to address the breach, patients remain concerned about the delay in detection and the potential consequences of the unauthorized access. The county has yet to provide further details on its response and plans for preventing future incidents of this nature.
Reference:
