Kusserow on Compliance: Not all data breaches are from accidents or cyber attacks

1,182 Beaumont Health patient records compromised

Employee passed patient information to a personal injury law firm

Undetected for 3 years

Not found by hospital but from an alert by the Attorney Grievance Commission

OCR not notified because it was not a data breach

An employee for Beaumont Health, an eight-hospital health system in Michigan, was caught siphoning sensitive patient information without permission then handing it over to a personal injury attorney. The medical records involved 1,182 individuals. The identity of the law firm was not identified and it is not clear how the law firm used the information. The case is under investigation and all persons whose records were compromised are being notified.

The Michigan Health & Hospital Association was notified to alert other hospitals about the incident and guard against similar intrusions. The breach was discovered on December 10, 2019, and resulted in an internal investigation. The matter was not discovered by Beaumont, but as result of an alert by the Michigan Attorney Grievance Commission—a watchdog to maintain ethical law practices in the state. How the Commission learned of the issue was not reported.

It was determined that from February 1, 2017, until October 22, 2019, the employee accessed and disclosed protected health information (PHI) without authorization. The information accessed included names, addresses, dates of birth, phone number, email addresses, reason for treatment, insurance information, and Social Security numbers. Notified individuals have been advised on how to further protect their information and monitor financial accounts for fraud. They also were asked to closely review health insurance claim information. Those having Social Security numbers exposed have been given information about enrolling in free credit monitoring, Beaumont said.  Beaumont reported that they have no experienced or reported a data hack or unauthorized patient data loss to the Office of Civil Rights that tracks and investigates breaches of patient data.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 202o Strategic Management Services, LLC. Published with permission.