Hacking is a worry for healthcare IT professionals, but the thought of employee data theft is enough to cause many a sleepless night. Defenses against hackers can be improved with multi-layered security systems, intrusion monitoring and data encryption. However, someone with a security key and/or legitimate access to PHI can just walk through the defenses, and in the case of a Medical Management LLC employee, take thousands of records containing Protected Health Information (PHI). In the most recent case of employee data theft, the PHI has already been disclosed to an unauthorized third party.
This single case has resulted in many thousands of patients’ records being exposed. The list of covered entities suffering data breaches from the Medical Management data theft includes the following hospitals:
- Valley Hospital: Ridgewood, New Jersey
- Englewood Hospital and Medical Center, New Jersey
- Emergency Physicians of Englewood, New Jersey
- Holy Name Medical Center: Teaneck, New Jersey
- White Plains Hospital Center, New York
- Phelps Memorial Hospital Center, New York
- Emergency Physicians, New York
- Park Slope Emergency Physician Services, PC, New York
- The Brooklyn Hospital Center Emergency Medicine, PC, New York
- Pittsburgh Jefferson Hospital
- University of Pittsburgh Medical Center, Pennsylvania
- Conemaugh Memorial Medical Center
- Conemaugh Meyersdale Medical Center
- Conemaugh Miners Medical Center
- Emergency Physicians of Pittsburgh, Ltd.
- Tri-County Emergency Physicians, LLC, Illinois
A spate of HIPAA violations has been reported in recent weeks after employees have been discovered to have snooped on records or stolen PHI. A nurse recently took data with her when she changed employer, and a mailing was sent to all patients announcing her move. A worker at a New York City Health and Hospitals Corporation (HHC) hospital emailed a spreadsheet containing PHI to a relative to get some technical assistance, although that individual had no right to be sent PHI.
Consolidated Tribal Health Project, Inc. (CTHP) has reported this month that an employee accessed an as of yet unknown number of records and Florida Hospital in Orlando reported the exposure and potential theft of 9,000 patient records.
Employee data theft is a serious problem, and while difficult to prevent, efforts can be made to greatly reduce the opportunity for data to be stolen. Measures that can be taken to improve security include restricting access to PHI as far as is possible, monitoring data that is viewed – and by whom – and when a member of staff leaves a covered entity, access to PHI – passwords, security keys, logins, email accounts – must be terminated immediately.