Radiology Practice Reveals Insider BreachRadiologist Accessed Billing Systems Without Authorization
About 97,000 current and former patients of NRAD Medical Associates, a radiology practice in Long Island, N.Y., are being notified that a radiologist formerly employed with the organization accessed and acquired protected health information from NRAD's billing systems without authorization.
Information inappropriately accessed in the breach includes patient names and addresses, dates of birth, Social Security numbers, health insurance information and diagnosis and procedure codes, the practice says.
The number of patients affected by the breach, which occurred on or about April 24, represents about 12 percent of the total NRAD has treated in the last 20 years, the practice reports.
NRAD says financial data, such as banking and credit card information, was not obtained during the intrusion, and there's no indication that the information was disclosed to or used by any third parties.
"While our internal investigation is continuing, it appears that a single individual, a radiologist who was employee by NRAD at the time of the breach, bypassed security systems within the company's billing and data systems," the organization says. "The individual is no longer employed at the practice and his misconduct was reported to the appropriate authorities and government agencies for investigation."
NRAD says it is working with the U.S. Department of Health and Human Services' Office of Civil Rights and all "applicable government agencies" to notify patients.
A spokesperson for NRAD says impacted individuals will receive free credit monitoring services if they request it.
Following the incident, NRAD says it took several unspecified measures to enhance the security safeguards of its billing and patient databases. The organization did not immediately respond to a request for additional information.
Mitigating Insider Threats
Healthcare organizations can take several steps to prevent patients from becoming the victims of medical identity theft and fraud committed by insiders, says Mac McMillan, CEO of security consulting firm CynergisTek (see: Thwarting Cybercrime in Healthcare).
One key step involves improving monitoring of data access. In addition to taking advantage of audit logs, organizations should use behavioral analysis that measures patterns of when and where users are accessing data and what they're looking at, McMillan suggests.
Another measure to mitigate the risks is to improve workforce training on appropriate access to records and other aspects of maintaining patient privacy, says Stevie Davidson, CEO of Health Informatics Consulting (see: Insider Threats: A Mitigation Strategy).