Jackson Health System

Federal law enforcement notified Federal law enforcement the covered entity (CE), Jackson Health System, on March 21, 2012, that a volunteer at Jackson North Medical Center photographed paper documents containing the protected health information (PHI) of 566 patients, allegedly for use in an identity theft scheme. The type of PHI involved in the breach included patients’ names, social security numbers, addresses, and birthdates. The Ce provided breach notification to HHS, affected individuals, and the media and posted substitute notice on its website. It also offered one year of free credit monitoring. In response to the incident, the CE revised its HIPAA policies and procedures. The CE updated its volunteer program to prohibit the use of smartphones in patient care areas, require volunteers to agree in writing to conform to its privacy policies and procedures, and provide nursing staff with a list of volunteers’ permitted job duties. The CE also changed the leadership of the volunteer program and increased the supervision of the volunteers. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Paper/Films
Business associate present: No