The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Insider Leaked 1.2K Patient Records for 20 Months

by Chris Brook on Tuesday January 28, 2020

Contact Us
Free Demo
Chat

The employee accessed information, including names, addresses, and social security numbers, from Feb. 2017 to Oct. 2019.

A former hospital employee managed to access and breach sensitive patient records undetected for 20 months, it was disclosed over the weekend.

Until recently, the unnamed employee worked for Beaumont Health, a chain of eight not-for-profit facilities in and around Detroit. The employee, who worked in the organization’s registration department, was terminated for violating hospital policies and HIPAA Rules but no charges have been filed yet.

According to a report in the Detroit Free Press on Saturday, the employee accessed and transferred sensitive data, patients' names, addresses, dates of birth, contact information, social security numbers, insurance information, and data relating to why they were patients at Beaumont, from February 2017 to October 2019.

The employee leaked the information of nearly 1,200 people - 1,812 to be exact - to an individual working for a personal injury attorney. Beaumont Health began notifying the patients who had their data accessed on Friday, according to the paper.

While it can be presumed the organization has some safeguards in place to prevent the mishandling of data – working in the registration department, the employee likely had privileged access - reports make it sound like the employee had little difficulty exfiltrating the information.

It wasn't until the Attorney Grievance Commission of Michigan, the investigative/prosecutorial arm of the state's Supreme Court, informed Beaumont in December, that the organization became fully aware of the employee’s improper access. It initiated an investigation shortly after.

For what it's worth, the facility claims it’s taken steps to ensure a situation like this doesn't happen again.

"Beaumont has also taken steps to improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future," the health org said in a statement over the weekend.

While it’s unclear what that those procedures entail, implementing a data protection solution that can discover, monitor, and restrict protected heath information (PHI) while complying with HIPAA, could go a long way in thwarting similar incidents going forward.

While achieving it often requires a sensitive, methodical approach, healthcare orgs that want to comply with HIPAA need to comply with the HIPAA Security Rule, a national standard that requires healthcare organizations to protect patients' data through appropriate administrative, physical, and technical safeguards.

Tags: Industry Insights, Healthcare

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.