Two disgruntled employees, a lawsuit and a trail of improper access are behind the latest HIPAA violation, which concerns a breach affecting 16,000 patients of Texas pediatric clinics.
According to a report by Healthcareinfosecurity.com, a staff member at Children’s Medical Clinics of East Texas, in Kaufman, Texas, engaged in widespread theft of patient data, including taking business records home and taking screen shots of patient records. The information was provided to a former co-worker, who was engaged in a dispute with the clinic.
The theft at the clinic, which was described in a letter posted on the clinics’ web site, describes a sustained campaign of data theft with the intention of aiding a former co-worker who “appears to have a retaliatory agenda against the clinic.”
After noting in August that the employee took “business documents” home from the office without returning them, the clinic notified the police. A subsequent search of clinic log files revealed that the employee in question had been “improperly” accessing patient health information by logging into patient records and “providing a screenshot of patient records to an identified third party.”
The stolen information contained confidential data such as the patient’s name, date of birth and patient health information such as diagnosis and treatment. It is not clear what – if anything – was done with the data, a firm hired by the clinics said. In fact, the clinic isn’t able to “narrow down which records were improperly accessed.”
The incident underscores the difficult challenge faced by healthcare providers, which must provide access to patient information to a wide range of staff, but are also bound by the federal HIPAA regulations to protect that data from inadvertent exposure. In the case of the Texas pediatric clinics, both the employee who stole the data and the former employee who received it were described as “front office clerical workers.” According to the clinics’ law firm, the employee who stole the data was authorized to access it and had received HIPAA training. Nevertheless, forwarding that information outside the clinic was a violation of HIPAA’s privacy rule.
The difficulty of securing data from malicious insiders is prompting more organizations to look for ways to mitigate the impact of incidents like this. A recent survey of corporate officers conducted by Veracode and NYSE found that 52% had subscribed to employee or insider threat liability coverage. More than a third of the executives polled (35%) said they were seeking coverage against loss of sensitive data caused by software coding and human errors.
Children's Medical Clinics logo via HealthcareInfoSecurity.com.
Dan Geer: The 5 Myths Holding Your Security Program Back
Use this eBook to find out if any of these myths are hurting your security program.
Related ArticlesLast Year: The Worst Year (Again) for Healthcare Data Breaches
A report from the firm Bitglass said healthcare breaches hit an all-time high in 2016, amid warnings that even pediatric patient data is being used by cybercriminals and identity thieves.Following Ransomware Attack Indiana Hospital Pays $55K to Unlock Data
A hospital paid 4 BTC (Bitcoin) - roughly $55,000 - to regain access to its computer systems over the weekend.6 Steps to Moving Patient Data to the Cloud Securely using DLP
Follow these steps to ensure a smooth and secure migration to the cloud.