Asante, a healthcare provider serving southern Oregon and northern California, is notifying more than 8,800 patients that a physician accessed their health records without authorization. Asante provides comprehensive medical care services, operating three hospitals and 30+ primary care and specialty clinic locations in nine counties.
Dr. Paul Hoffman was not an employee of Asante, but had admitting privileges, and access to Asante’s electronic health record (EHR) system to allow him to treat his patients while there. The inappropriate access took place for 8 1/2 years, from June 2014 through early January, 2023. Asante filed a breach report with the Office for Civil Rights (OCR) on February 24, 2023, noting that 8,834 patients were affected.
According to Asante’s notice on its website:
“A concern was raised that a doctor with admitting privileges at Asante, Dr. Paul Hoffman, may have accessed a number of patients’ records without a valid clinical need.”
They then launched an investigation into Dr. Hoffman’s access to patient records. The investigation, between December 30, 2022 and February 14, 2023, uncovered that the doctor’s access to a number of records “may have been without a valid clinical purpose.” The records may have included included patients’ names, demographic information, and diagnostic and treatment information.
The notice further explains that Asante uses electronic auditing systems that review every user’s access to its EHR system and attempts to identify cases of inappropriate access. They do not explain how this unauthorized access escaped notice for as long as it did, but Asante pledges to review “whether additional measures can be put in place to more quickly detect potentially inappropriate access to medical information by authorized users.”
Insider Motivation
Asante concludes its notice by saying that the investigation revealed that Dr. Hoffman accessed records “out of curiosity rather than for any fraudulent purposes” and Asante does not believe that patients need to take any steps in response to the incident or that the incident increases their risk of identity theft.
This is a strong statement to make, and while this conclusion may be correct, Asante still faces an investigation by OCR, which investigates all healthcare data breaches that affect 500 or more individuals. OCR will ask lots of questions and evaluate Asante’s policies, procedures and systems to help them shore up their security.
An insider who snoops out of curiosity is not unheard of, but it’s also not the most common. Employees, vendors, and other third parties all present a risk to patient data, and the causes vary. Some are intentional, some are caused by negligence, and some are simply mistakes.
Regardless of the cause or motivation, insider threats are real. Last year the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) published a report warning about insider threats in healthcare. It’s a good report with lots of ideas about how to detect and prevent insider threats.
Risk Management and Annual Risk Analysis
Your security risk assessment and the broader annual HIPAA Risk Analysis together are the best defense against insider threats to patient data. Core mitigation measures you can use include:
- Cybersecurity awareness training for staff and third parties with access – use sanctions to discourage intentional actors.
- Limit access to PHI and establish role-based access control.
- Strong system access review and audits.
- Implement the zero-trust and multi-factor authentication models.
There are other key steps, and you can learn about the ones unique to your organization by doing your own risk analysis. If you need help, give The HIPAA E-Tool® a call.