3rd Party Risk Management , Access Management , Endpoint Security
Former Executive Accessed PHI of Nearly 38,000 IndividualsAccountable Care Organization Says It's Investigating 2020 Incident
A compromise of sensitive health information affecting nearly 38,000 individuals discovered nearly a year after a terminated company executive accessed the data spotlights some of the top security and privacy challenges covered entities and business associates face with insiders.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Texas-based accountable care organization Premier Patient Healthcare in a report filed on Friday to the Maine attorney general's office, described the June 2020 incident - discovered in April 2021 - as "insider wrongdoing, loss or theft of device or media (computer, laptop, external hard drive, thumb drive, CD, tape, etc.).”
The incident is not yet posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Premier, however, reported the breach to Maine's attorney general as affecting 37,636 individuals, including two Maine residents.
In a sample notification letter provided to the Maine attorney general's office, Premier says that on April 30, it discovered evidence indicating that a former executive of Premier had accessed its computer system after the termination of his employment and had obtained and accessed a file containing health information.
The information in the file included name, age, sex, race, county and state of residence, and zip code, as well as Medicare beneficiary information, such as Medicare eligibility period, spend information, and hierarchical condition category risk score, the report says.
"We have investigated this incident but have been unable to determine how the information was further handled or used after it was acquired. We are continuing to investigate the full extent of the breach," the sample letter says.
A data security incident notice posted on Premier's website offers a slightly different description of the incident, implying that a third-party technology vendor was also involved in the breach.
In that statement, Premier says that on April 30, "Wiseman Innovations, a technology vendor of Premier Patient Healthcare, discovered evidence indicating that a former executive of Premier and its contracted technology vendor obtained and accessed a file containing sensitive health information in July 2020, after the termination of their employment."
Premier, in partnership with its contracted technology vendor, is completing an ongoing investigation and has reported the incident to the appropriate regulatory agencies, the statement notes.
An attorney representing Premier declined Information Security Media Group's request for clarification about the incident, including whether the breach involved both a former company executive and a vendor, and whether the incident involved access to PHI contained on a mobile computing/storage device, as indicated in the report submitted to Maine's attorney general.
"There is an ongoing investigation into this matter and we have no comment," the attorney tells ISMG.
Steps to Take
Healthcare entities and their vendors should take steps to prevent breaches of protected health information involving employees who have left their employment with the organization, experts say.
For instance, when an employee gives notice or is told that their employment is ending, organizations should terminate all access to PHI and sanitize employee-owned devices immediately rather than waiting until the employee's last working day, says regulatory attorney Paul Hales of the Hales Law Group. "Much damage can be done in two weeks," he says.
Insiders are often caught inappropriately accessing patient information because the workers leave an electronic trail, he notes.
Mobile Device Risk
Organizations should also take steps to ensure the return of company-owned mobile computing and storage devices, or the deletion of sensitive data at the end of a worker's employment, experts note.
"We recommend that HR and/or IT uses a checklist to ensure assets are returned and any work-related data that is not stored within company assets is erased or destroyed," says Tom Walsh, president of privacy and security consultancy tw-Security.
Personally owned devices - including smartphones, laptops, tablets and portable media - may contain confidential information that belongs to the organization, he notes.
"Most medium- and large-size organizations should have mobile device management, which could facilitate doing a remote wipe of company data from any personally owned device enrolled in their bring-your-own-device program," Walsh says.
Other important steps covered entities and business associates should take when employees - including executives - leave their employment include ensuring that their access to PHI has ended, Walsh says.
That includes checking for rules in the former executive’s email account/mailbox.
"The executive may have set up a rule in email to automatically forward certain emails to a personal email account," he says.
"Even after termination, the rule may still be in place because the organization would likely change the password to the executive’s email account/mailbox, but keep the account/mailbox active to ensure that key communications are not missed."
Another person in the organization may have the responsibility for monitoring incoming emails into the terminated executive’s mailbox, he notes. "But if someone didn’t check the account to verify if the rules were turned off, they may not even be aware of the auto-forwarding activity."
Entities also should remove remote access capability to cloud storage services, Walsh says, and they should keep in mind that executives often have more expanded privileges to access sensitive company/patient information than other workers - even if they don’t always need it.
"The executive may not log in or seldom log in with those elevated privileges, but they have them," and that access needs to be terminated when the individual leaves the organization, he notes.
Regulators also have taken enforcement action in some cases involving insider breaches.
For instance, one year ago, HHS' Office for Civil Rights settled an investigation into a terminated employee’s theft of the PHI of 498 individuals from the New Haven Connecticut Health Department (see: City Faces HIPAA Fine After Health Department Breach).
The city of New Haven in October 2020 agreed to pay a $200,000 financial settlement and implement a corrective action plan in the wake of the 2016 incident, which involved a former city employee who continued to access citizens’ health records - and shared her credentials with an intern - after her job had been terminated.
The HIPAA breach was also the subject of a criminal case against the former employee. In 2017, state prosecutors charged her with third-degree burglary and larceny charges in the case.
"The danger of insider theft is extremely dangerous because insiders have the 'keys to the kingdom,'" Hales notes.
"It is important to investigate and prosecute insider PHI thieves to learn how the theft could have been prevented, punish the thief and set a standard to deter other insider thefts."