Why Insider Breach Prevention Needs to Stay Top-of-Mind
Several recent health data security incidents serve as reminders of why healthcare entities need to stay focused on efforts to prevent and detect insider breaches even as attention is diverted by headlines about hacker attacks and ransomware.
For instance, last week, St. Charles Health System in Bend, Oregon, began notifying nearly 2,500 patients that a caregiver - over a period of about 27 months - was found to have accessed individuals' electronic medical records without authorization.
In a statement, the healthcare system says it launched an investigation on Jan. 16 and conducted an audit of all of the patient files accessed by the caregiver, concluding the insider may have inappropriately reviewed files containing patients' names, addresses, dates of birth, health insurance information, driver's license numbers and health information such as diagnoses, physicians' names, medications and treatment information.
While St. Charles Health says the employee has since "signed an affidavit stating that she has never used or shared any of the confidential patient information for the purpose of committing fraud, financial crimes or other crimes against the patients whose records were among those she viewed," the assurance apparently wasn't enough for local law enforcement officials.
On March 17, the day after St. Charles Health issued its statement about the incident, Deschutes County District Attorney John Hummel issued his own release saying he had launched a criminal investigation into the apparent breach.
"I was dismayed to learn via media reports that apparently a St. Charles employee impermissibly accessed records of thousands of patients," Hummel said. "An alleged breach of this magnitude should have been reported to local police so that a proper criminal investigation could be conducted - as far as I'm aware this did not happen."
Hummel added that his office is working with local law enforcement "to ensure that all relevant facts are detected and then conduct a legal analysis to determine if any criminal laws were violated."
Neither Hummel's office nor St. Charles Health immediately responded to my requests for comment.
St. Charles Health is just the latest in a seemingly endless string of healthcare entities at the center of law enforcement investigations as a result of insider-related breaches. And as we all know, many health data breaches - including those committed by insiders - also result in lawsuits filed by breach victims.
