Take the Patients and Run
Forget identity theft, an incident in Arkansas shows that plain old competition is behind at least some medical data theft.
We’re used to reading about healthcare firms getting hacked and having patient data stolen. Anthem, Primera, Community Health… the list goes on and on (and on). And we think we understand the motivations behind these attacks pretty well. Namely: sophisticated and “persistent” adversaries are hungry for verbose data about individuals – all kinds of individuals. Healthcare organizations like hospitals, doctors’ offices and health insurance firms hold much of that data on their systems. The objective of these adversaries? Identity theft. Targeted attacks aimed at employers or family, friend and acquaintances, data mining? The list goes on.
But an incident from Arkansas suggests that not every data theft beats a trail back to China, Russia or Eastern Europe. Not every eye-popping loss of health data is attributable to nefarious, remote attackers armed with droppers, Trojan horse programs and the like. In fact: among the many possible threats that healthcare organizations need to consider are more mundane risks like rogue employees motivated by greed and competitiveness.
As noted by the web site HealthITSecurity.com, Arkansas-based Baptist Health and Arkansas Health Group notified 6,500 patients in early October that their personal information had been stolen. This, after the healthcare organizations began receiving complaints from patients who were being solicited from another area health provider, Bray Family Health.
The culprit? Healthcare providers. Specifically: an investigation revealed that two former employees who works as “providers” at Baptist Health–affiliated clinics exported the patient information and took it with them to their new employer, Bray. They then used the data in August to begin sending phone and mail solicitations to patients of the other health groups, according to a statement by Baptist to affected patients (PDF). Baptist noted that the data was taken in violation of its policies and, likely, in violation of the federal HIPAA legislation, as well.
While names and e-mail probably would have been enough for an email marketing campaign, the stolen data was (of course) far more detailed than that. According to Baptist, the PHI disclosed reportedly includes patient names, addresses, telephone numbers, dates of birth, gender, race, ethnicity, provider names and the date of the patients' last appointments with Baptist Health providers. Billing information, Social Security numbers and treatment or health insurance information weren’t included, Baptist said.
The motivation here was commercial rather than criminal: doctors or nurses jumping ship to a new practice and looking to jump-start their business by pulling over former patients. That’s hardly new, but the theft and repurposing of PHI on a grand scale turns this from something in the realm of “shady business practices” into something else entirely.
The solution for healthcare organizations is straightforward enough: closer monitoring of employee behavior with an eye to spotting unusual movements of data – such as a bulk export of information on more than 6,000 patients. That’s unusual in any context and especially in the context of an employee who may have given notice. Unfortunately, the fact that Baptist learned of the theft only after victims began complaining is a too common result of a lack of visibility into suspicious network activity.