Children’s healthcare exec stole kids’ medical records
Insider attack; Unauthorized use of employer’s data
The now-fired corporate audit advisor allegedly pilfered the hospital’s proprietary data and children’s patient health information.
On Oct. 18, two days after Sharon McCray announced her intention to resign in December, Children's Healthcare of Atlanta discovered that she had emailed the information to her own personal account.
The files also included numbers assigned to healthcare providers by the Drug Enforcement Administration; state license numbers for more than 500 healthcare providers; confidential and attorney-client privileged communications; financial information; internal and external audits; and additional confidential and proprietary information belonging to Children's Healthcare. The company is suing McCray.
The hospital last year had more than 346,000 patients and almost 848,000 patient visits, including children from all 159 counties of Georgia.
Apparently McCray began emailing the information to herself on Oct. 16, the day she gave notice, and continued through Oct. 21, when Children's says it cut off her access to her corporate email account and placed McCray on a paid leave of absence. She was fired the next day.
McCray admitted emailing the information to her personal account and claimed it was so she could use the information "as backup records for her new employment with an unidentified employer to use as a reference.”
"To date, [McCray] still has not returned or destroyed Children's Healthcare's Protected Information or permitted Children's Healthcare to inspect [McCray's] personal computer(s) for the Protected Information," the hospital's lawsuit complaint says.
ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.
Healthcare and Public Health
October 28, 2013
Atlanta Business Chronicle
Link to report
location of breach
location of perpetrators
date breach occurred
Oct. 16, 2013 to Oct. 21, 2013
date breach detected
Oct. 18 2013