Two disgruntled employees, a lawsuit and a trail of improper access are behind the latest HIPAA violation, which concerns a breach affecting 16,000 patients of Texas pediatric clinics.
According to a report by Healthcareinfosecurity.com, a staff member at Children’s Medical Clinics of East Texas, in Kaufman, Texas, engaged in widespread theft of patient data, including taking business records home and taking screen shots of patient records. The information was provided to a former co-worker, who was engaged in a dispute with the clinic.
The theft at the clinic, which was described in a letter posted on the clinics’ web site, describes a sustained campaign of data theft with the intention of aiding a former co-worker who “appears to have a retaliatory agenda against the clinic.”
After noting in August that the employee took “business documents” home from the office without returning them, the clinic notified the police. A subsequent search of clinic log files revealed that the employee in question had been “improperly” accessing patient health information by logging into patient records and “providing a screenshot of patient records to an identified third party.”
The stolen information contained confidential data such as the patient’s name, date of birth and patient health information such as diagnosis and treatment. It is not clear what – if anything – was done with the data, a firm hired by the clinics said. In fact, the clinic isn’t able to “narrow down which records were improperly accessed.”
The incident underscores the difficult challenge faced by healthcare providers, which must provide access to patient information to a wide range of staff, but are also bound by the federal HIPAA regulations to protect that data from inadvertent exposure. In the case of the Texas pediatric clinics, both the employee who stole the data and the former employee who received it were described as “front office clerical workers.” According to the clinics’ law firm, the employee who stole the data was authorized to access it and had received HIPAA training. Nevertheless, forwarding that information outside the clinic was a violation of HIPAA’s privacy rule.
The difficulty of securing data from malicious insiders is prompting more organizations to look for ways to mitigate the impact of incidents like this. A recent survey of corporate officers conducted by Veracode and NYSE found that 52% had subscribed to employee or insider threat liability coverage. More than a third of the executives polled (35%) said they were seeking coverage against loss of sensitive data caused by software coding and human errors.
Children's Medical Clinics logo via HealthcareInfoSecurity.com.
Dan Geer: The 5 Myths Holding Your Security Program Back
Use this eBook to find out if any of these myths are hurting your security program.
Related ArticlesDutch Data Protection Authority Issues First GDPR Fine
The fine, against a large hospital, stems from its apparent lack of internal patient record security.Take the Patients and Run
Forget identity theft, an incident in Arkansas shows that plain old competition is behind at least some medical data theft.Friday Five: 8/31 Edition
A four year old vulnerability resurfaces, experts on California's privacy bill, and more -- catch up on this week's infosec news with this roundup!