Jackson Health System discloses insider data breach affecting over 2,000 patients

Jackson Health System has reported a significant insider data breach involving the unauthorized access and misuse of protected health information (PHI) belonging to more than 2,000 patients. The breach was disclosed in a press release issued on June 6, 2025, where the health system confirmed that a now-former employee exploited their position to obtain confidential patient data for personal gain.

According to the announcement, the compromised data includes patient names, dates of birth, home addresses, medical record numbers, and clinical information. Jackson Health System stated that the employee used the information to promote a private healthcare business. Upon confirming the Health Insurance Portability and Accountability Act (HIPAA) violation, the employee was immediately terminated, and the matter was referred to law enforcement for further investigation into potential criminal violations.

The health system revealed that the unauthorized data access occurred over a prolonged period—from July 2020 through May 2025—before being discovered. However, the exact method of detection has not been disclosed. It remains unclear whether the breach was uncovered through internal audits, system alerts, or complaints from affected patients.

This incident has drawn renewed attention to Jackson Health System’s internal oversight mechanisms. Despite the HIPAA mandate for healthcare providers to routinely review activity within systems containing electronic protected health information (ePHI), the breach’s five-year duration raises concerns about the frequency and effectiveness of Jackson Health’s audit procedures. While HIPAA does not define a specific review schedule, it emphasizes that system activity must be regularly monitored to detect and mitigate breaches promptly.

The recent breach is not an isolated case for Jackson Health System. In 2016, the organization reported a similar insider breach involving unauthorized access to the records of 24,188 patients. That incident also remained undetected for five years. In response, Jackson Health had announced plans to implement a new data security system designed to improve detection of insider threats.

In the aftermath of the 2016 breach, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation that uncovered multiple HIPAA violations related to Jackson Health’s Privacy, Security, and Breach Notification compliance. The investigation concluded in 2019 with a $2.15 million financial settlement. At that time, OCR Director Roger Severino criticized the health system’s compliance efforts, citing a prolonged period of systemic failure, including the lack of routine review of system activity logs.