Insider Leaked 1.2K Patient Records for 20 Months
The employee accessed information, including names, addresses, and social security numbers, from Feb. 2017 to Oct. 2019.
A former hospital employee managed to access and breach sensitive patient records undetected for 20 months, it was disclosed over the weekend.
Until recently, the unnamed employee worked for Beaumont Health, a chain of eight not-for-profit facilities in and around Detroit. The employee, who worked in the organization’s registration department, was terminated for violating hospital policies and HIPAA Rules but no charges have been filed yet.
According to a report in the Detroit Free Press on Saturday, the employee accessed and transferred sensitive data, patients' names, addresses, dates of birth, contact information, social security numbers, insurance information, and data relating to why they were patients at Beaumont, from February 2017 to October 2019.
The employee leaked the information of nearly 1,200 people - 1,812 to be exact - to an individual working for a personal injury attorney. Beaumont Health began notifying the patients who had their data accessed on Friday, according to the paper.
While it can be presumed the organization has some safeguards in place to prevent the mishandling of data – working in the registration department, the employee likely had privileged access - reports make it sound like the employee had little difficulty exfiltrating the information.
It wasn't until the Attorney Grievance Commission of Michigan, the investigative/prosecutorial arm of the state's Supreme Court, informed Beaumont in December, that the organization became fully aware of the employee’s improper access. It initiated an investigation shortly after.
For what it's worth, the facility claims it’s taken steps to ensure a situation like this doesn't happen again.
"Beaumont has also taken steps to improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future," the health org said in a statement over the weekend.
While it’s unclear what that those procedures entail, implementing a data protection solution that can discover, monitor, and restrict protected heath information (PHI) while complying with HIPAA, could go a long way in thwarting similar incidents going forward.
While achieving it often requires a sensitive, methodical approach, healthcare orgs that want to comply with HIPAA need to comply with the HIPAA Security Rule, a national standard that requires healthcare organizations to protect patients' data through appropriate administrative, physical, and technical safeguards.