More than 1,000 patients at an upstate New York hospital had their medical records, including diagnoses and prescription lists, exposed after a former employee was caught snooping on its system.
Upstate University Hospital, a facility in Syracuse that's part of the SUNY Upstate Medical University, confirmed the breach late last week. Perhaps more confounding than the breach itself was the fact the former employee had access to patient health records for so long. The accidental insider reportedly had access to the records for almost a year, from November 3, 2016 to October 23, 2017.
For some reason it took almost another 12 months for Upstate University Hospital to discover the breach; the hospital determined the information was being inappropriately accessed just two months ago, on September 12.
The former employee didn’t have access to sensitive information like Social Security numbers, insurance identification numbers, or credit card information. According to reports he or she did have access to the following however:
- Demographic information including name, age, address, insurer and hospital medical record number;
- The dates patients received care at University Hospital and services received;
- Diagnosis and other care and treatment information such as prescription lists.
It's unclear when exactly the employee parted ways with the hospital. Judging by the hospital’s wording, the employee was considered a former employee beginning at least in Nov. 2016. That said, former employees using authorized logins to gain access to a company's network don't always set off alarms for organizations - something that could explain why they managed to evade detection, whether they knew it or not, so long.
A spokesman for the hospital told Syracuse.com that patients should be aware of scams, either phishing or phone-based, that could be carried out as a result of the breach. "Upstate said it provides employees in-depth training on the privacy and security of patient information. Upstate said it has strengthened patient information safeguards to reduce the risk of this happening again." The spokesman said the hospital will contact the U.S. Department of Health and Human Services as required when there's a breach of unsecured protected health information affecting 500 patients or more.
It's assumed the hospital had data integrity controls in place, something that would have protected electronic protected health information (ePHI) as mandated by HIPAA but it's not clear how strict those policies were if the user was able to access records for so long after being relieved of their job.
While Upstate said that it doesn't believe the former employee printed, redirected, or misused the data, having a strong data protection strategy in place could have prevented former employees from accessing data, in this case patient health records, in the first place.
Pairing a rigid data protection program with endpoint detection and response (EDR) could have better helped the IT team understand the sensitivity of data that was being inappropriately being accessed and greatly reduced the lapse between when the employee accessed the records and the organization's discovery of the breach.
