Pediatric Clinic Breach affects 16,000 in Texas, Underscores Insider Threat

Two disgruntled employees, a lawsuit and a trail of improper access are behind the latest HIPAA violation.

Two disgruntled employees, a lawsuit and a trail of improper access are behind the latest HIPAA violation, which concerns a breach affecting 16,000 patients of Texas pediatric clinics.

According to a report by, a staff member at Children’s Medical Clinics of East Texas, in Kaufman, Texas, engaged in widespread theft of patient data, including taking business records home and taking screen shots of patient records. The information was provided to a former co-worker, who was engaged in a dispute with the clinic.

The theft at the clinic, which was described in a letter posted on the clinics’ web site, describes a sustained campaign of data theft with the intention of aiding a former co-worker who “appears to have a retaliatory agenda against the clinic.”

After noting in August that the employee took “business documents” home from the office without returning them, the clinic notified the police. A subsequent search of clinic log files revealed that the employee in question had been “improperly” accessing patient health information by logging into patient records and “providing a screenshot of patient records to an identified third party.”

The stolen information contained confidential data such as the patient’s name, date of birth and patient health information such as diagnosis and treatment. It is not clear what – if anything – was done with the data, a firm hired by the clinics said. In fact, the clinic isn’t able to “narrow down which records were improperly accessed.”

The incident underscores the difficult challenge faced by healthcare providers, which must provide access to patient information to a wide range of staff, but are also bound by the federal HIPAA regulations to protect that data from inadvertent exposure. In the case of the Texas pediatric clinics, both the employee who stole the data and the former employee who received it were described as “front office clerical workers.” According to the clinics’ law firm, the employee who stole the data was authorized to access it and had received HIPAA training. Nevertheless, forwarding that information outside the clinic was a violation of HIPAA’s privacy rule.

The difficulty of securing data from malicious insiders is prompting more organizations to look for ways to mitigate the impact of incidents like this. A recent survey of corporate officers conducted by Veracode and NYSE found that 52% had subscribed to employee or insider threat liability coverage. More than a third of the executives polled (35%) said they were seeking coverage against loss of sensitive data caused by software coding and human errors.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Children's Medical Clinics logo via

Paul Roberts

Please post your comments here

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
Friday Five: 9/28 Edition

Ransomware hits the Port of San Diego, the EU pushes for a data audit of Facebook, and more - catch up with the week's infosec news with this wrap-up.

Email Blunder Exposes Identity of 780 HIV Patients in the UK

Healthcare organizations face a myriad of security threats. But the news this week about a UK clinic exposing the identities of 780 HIV positive patients was a purely self-inflicted wound.

Former Employee Accessed Medical Records For Nearly a Year

A hospital in upstate New York said it recently discovered a former employee inappropriately accessed patient medical records from 2016 to 2017.