A well respected co-worker, manager or executive might turn out to be a thief, especially when they leave. It’s a difficult truth, but the risk can be managed.
A terminated executive may have accessed the protected health information (PHI) of 38,000 individuals at Premier Patient Healthcare (Premier), a Texas based accountable care organization. The breach was not discovered until nearly a year after the executive left. It is not clear whether a third party vendor is also involved in the incident.
Premier posted a notice on its website indicating that a former executive of Premier and its contracted technology vendor, Wiseman Innovations, may have accessed the files. An internal investigation is ongoing.
Premier reported that on April 30, 2021 it discovered evidence indicating that a former executive of Premier had accessed its computer system after the termination of his employment and had obtained and accessed a file containing health information. The theft occurred in July 2020.
The information in the file included name, age, sex, race, county and state of residence, and zip code, as well as Medicare beneficiary information, such as Medicare eligibility period, spend information, and hierarchical condition category risk score, the report says.
The breach has been reported to the Office for Civil Rights (OCR), and appears on its breach reporting tool. OCR investigates all breaches affecting 500 or more individuals.
Dangers of Insider Theft
The risk of insider theft is extremely dangerous because insiders have the ‘keys to the kingdom’.
Just a year ago OCR settled an investigation of a terminated employee’s theft of the PHI of 498 individuals from the New Haven Connecticut Health Department. The City of New Haven agreed to pay $202,400 and undertake a 2-year corrective action plan for a PHI theft that affected a much smaller group than the Premier theft.
Over the past four years OCR has repeatedly warned of the dangers of insider theft including theft by terminated employees and issued guidance for managing malicious insider threats.
Manage Threat of Insider Theft with HIPAA
Key HIPAA Security Rule requirements include workforce security procedures that prevent employees and terminated employees from obtaining unauthorized access to electronic PHI, Information System Activity Review, Access Management and Access Control.
If employees, including executive management, are allowed to use portable devices the organization must closely monitor and control those devices including devices owned by the employee. This is especially important now with employees working from home.
When an employee gives notice or is given notice that their employment is ending, organizations should terminate all access to PHI and sanitize employee owned devices immediately, not wait to their last working day. Much damage can be done in two weeks.
Insiders can be caught because they invariably leave an electronic trail. The New Haven breach also involved theft of paper records witnessed by an intern. However, once the records are stolen, the damage is done.
It is important to investigate and prosecute insider PHI thieves to learn how the theft could have been prevented, punish the thief and set a standard to deter other insider thefts.