Insider Breach at hospital lasted 10 years!

HealthCareInfoSecurity.com reported that “Harris Health is contacting 5,000 patients about a breach involving a former employee who improperly accessed electronic health records for over a decade. The Texas healthcare organization said it learned of the incident and reported it to the FBI four years ago.”  The October 7, 2025 article entitled “Hospital Insider Breach Lasted 10 Years, Led to FBI Inquiry” (https://tinyurl.com/h3djnjt5) included these comments:

The Harris Health employee accessed patients EHRs without a work-related reason from Jan. 4, 2011, to March 8, 2021. The healthcare entity said it "learned" of the incident on Feb. 10, 2021, "quickly" launched an investigation with assistance from a forensic firm, reported the incident to law enforcement and terminated the employee.

Houston-based Harris Health, which operates two trauma center hospitals and a network of 37 clinics, health centers and specialty locations, said on Friday the FBI had just given the entity the green light to begin notifying patients.

"While working with law enforcement, Harris Health determined that the former employee disclosed some patient information to unauthorized individuals," the healthcare firm said.

"Because it could have impeded their investigation, law enforcement required Harris Health to delay notifying patients of this incident. Harris Health is now notifying patients as quickly as possible after receiving permission from law enforcement to do so," Harris Health said in a privacy breach notice.

"To date, Harris Health has not been able to determine which specific patients' information was disclosed outside the organization but is notifying all patients whose electronic medical records may have been impermissibly accessed by the former employee."

Potentially compromised information includes name, date of birth, address, email address, telephone number, medical record number; clinical information, diagnoses, medical history, medications, immunizations, provider name, dates of service and insurance information. The breach also affected Social Security numbers of some patients.

Harris Health said it is offering complimentary identity and credit monitoring to patients whose Social Security numbers were compromised.

Harris Health declined to provide Information Security Media Group additional details about the incident. The FBI did not immediately respond to ISMG's request for details about the case, including the status of the investigation and whether anyone was charged in the incident.

The apparent four-year delay in law enforcement allowing Harris Health to notify affected patients seems longer than typical investigations, some experts said.

Hope this was not your hospital for the past 10 years!