Two healthcare organizations recently revealed that employees of their organizations accessed patient records without authorization. Insider healthcare breaches have long plagued the industry, so how can you protect your organization? More details on the breaches and how to prevent a similar incident from occurring in your organization are discussed.
Montefiore Medical Center Insider Healthcare Breaches
Between June 2020 and November 2020, an employee of Montefiore Medical Center accessed patient protected health information (PHI) illegally. Upon discovery of the insider healthcare breach Montefiore immediately suspended the employee’s access to their electronic medical record system and launched an investigation. After conducting a thorough investigation Montefiore fired the employee and referred the case to law enforcement, potentially subjecting the former employee to criminal penalties.
Robert Dalrymple, chief information security officer at Montefiore Medical Center, said in a statement, “We apologize for any inconvenience to our patients that this breach has caused. We are taking steps to implement additional safeguards to strengthen the security of our systems.”
PHI accessed by the former employee included patient names, dates of birth, addresses, medical record numbers, and the last four digits of patients’ Social Security numbers. Other information that may have been accessed included test results, diagnoses, and visit histories
Patients affected by the incident will receive one year of credit monitoring, identity theft protection, a $1,000,000 insurance reimbursement policy, and access to fraud resolution representatives.
Bethesda Hospital Insider Healthcare Breaches
On December 1, 2020, Bethesda Hospital discovered that an employee impermissibly accessed and altered PHI. The altered data included home health orders that were used for patients receiving home care service from Bethesda. After an internal investigation, Bethesda fired the employee in question and notified law enforcement.
PHI potentially accessed by the former employee included patient names, dates of birth, Social Security numbers, addresses, insurance information, and clinical documentation. Patients treated between June 1, 2019 and December 2, 2020 may have been affected by the incident. Patients affected by the insider healthcare breach have been notified and will receive identity theft protection and one year of credit monitoring.
How to Prevent Insider Healthcare Breaches
Preventing insider healthcare breaches really comes down to two things, your policies and procedures and employee training.
Policies and procedures.
Your policies and procedures should dictate the proper uses and disclosures of PHI by your organization and employees. They also dictate who has access to what information and when. The HIPAA minimum necessary standard requires employees to only have access to the PHI that they need to perform their job functions. Additionally, it is important to have policies and procedures for how you track access to PHI. Tracking access to PHI enables the quick detection of insider healthcare breaches enabling you to mitigate damage. Lastly, you must have strict guidelines on when to terminate employee access to PHI such as when an employee changes job roles or is terminated from employment.
Employee training.
To ensure that your employees adhere to your organization’s policies and procedures, and HIPAA standards, they must be trained annually. Training should also include cybersecurity best practices and how to report a suspected breach or incident.
