Police Investigating Insider BreachHospital Employee Inappropriately Accessed Records
Local police are investigating a breach involving inappropriate access to about 600 patients' records by a former employee at ProMedica Bay Park Hospital in Oregon, Ohio.
See Also: The Power and Scale of XDR
On May 28, ProMedica, the parent company of the 72-bed hospital, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014, by an employee. The identity of the employee involved in the breach, and the job they held, were not disclosed by ProMedica.
"Once we discovered the breach, ProMedica immediately deactivated the employee's access to patient information and the individual is no longer employed by ProMedica," a spokeswoman for the organization tells Information Security Media Group. The breach has been reported to the U.S. Department of Health and Human Services.
When the Oregon, Ohio Police Department learned about the breach from local news media, it launched an investigation to determine whether the incident is tied to any criminal activity, says Assistant Police Chief Paul Magdich. "Other than a violation of HIPAA, we're trying to see there is any other unlawful activity involved with the breach of the records," he says.
So far, the hospital's investigation into the breach has found the information accessed may have included patients' full names, dates of birth, diagnoses, hospital visit numbers, medical record numbers, attending physicians, medications and other clinical information.
"Based on our records, we don't believe the information accessed by the employee contained any financial information, including Social Security numbers, or that the employee intended to retain any viewed information," the ProMedica spokeswoman says.
Preventing Insider Breaches
But security expert Mac McMillan, CEO of consulting firm CynergisTek, warns that cybercriminals, including insiders, are increasingly targeting healthcare organizations for identity theft and other forms of fraud because their systems are a rich source of financial and clinical information.
When it comes to thwarting such activity involving insiders, McMillan says healthcare organizations need to improve monitoring of data access. In addition to taking advantage of audit logs, organizations should use behavioral analysis that measures patterns of when and where users are accessing data and what they're looking at, he says. Improved authentication methods and role-based controls can also help prevent improper access to data, he says.
Also to improve defense against external threats that target employees with social engineering scheme to find entryways into system and data, McMillan suggests healthcare organizations ramp up their employee training. "What HIPAA says they need to be educated on is not enough," he says.
Indeed, improving employee education is one measure ProMedica is taking in the wake of the incident, the hospital says.
"Bay Park Hospital is taking precautions to prevent any further health information breaches. This includes additional training for employees to ensure they understand and follow patient information access policies," the spokeswoman says.
Patients affected by the ProMedica breach are being offered one year of free identity theft protection.