[BreachExchange] Former Executive Accessed PHI of Nearly 38, 000 Individuals

[Terrell Byrd]

https://www.healthcareinfosecurity.com/former-executive-accessed-phi-nearly-38000-individuals-a-17724

A compromise of sensitive health information affecting nearly 38,000
individuals discovered nearly a year after a terminated company executive
accessed the data spotlights some of the top security and privacy
challenges covered entities and business associates face with insiders.

Texas-based accountable care organization Premier Patient Healthcare in a
report filed on Friday to the Maine attorney general's office, described
the June 2020 incident - discovered in April 2021 - as "insider wrongdoing,
loss or theft of device or media (computer, laptop, external hard drive,
thumb drive, CD, tape, etc.).”

The incident is not yet posted on the Department of Health and Human
Services' HIPAA Breach Reporting Tool website listing health data breaches
affecting 500 or more individuals.

Premier, however, reported the breach to Maine's attorney general as
affecting 37,636 individuals, including two Maine residents.

Breach Details
In a sample notification letter provided to the Maine attorney general's
office, Premier says that on April 30, it discovered evidence indicating
that a former executive of Premier had accessed its computer system after
the termination of his employment and had obtained and accessed a file
containing health information.

The information in the file included name, age, sex, race, county and state
of residence, and zip code, as well as Medicare beneficiary information,
such as Medicare eligibility period, spend information, and hierarchical
condition category risk score, the report says.

"We have investigated this incident but have been unable to determine how
the information was further handled or used after it was acquired. We are
continuing to investigate the full extent of the breach," the sample letter
says.

Vendor Involvement?
A data security incident notice posted on Premier's website offers a
slightly different description of the incident, implying that a third-party
technology vendor was also involved in the breach.

In that statement, Premier says that on April 30, "Wiseman Innovations, a
technology vendor of Premier Patient Healthcare, discovered evidence
indicating that a former executive of Premier and its contracted technology
vendor obtained and accessed a file containing sensitive health information
in July 2020, after the termination of their employment."

Premier, in partnership with its contracted technology vendor, is
completing an ongoing investigation and has reported the incident to the
appropriate regulatory agencies, the statement notes.

An attorney representing Premier declined Information Security Media
Group's request for clarification about the incident, including whether the
breach involved both a former company executive and a vendor, and whether
the incident involved access to PHI contained on a mobile computing/storage
device, as indicated in the report submitted to Maine's attorney general.

"There is an ongoing investigation into this matter and we have no
comment," the attorney tells ISMG.

Steps to Take
Healthcare entities and their vendors should take steps to prevent breaches
of protected health information involving employees who have left their
employment with the organization, experts say.

For instance, when an employee gives notice or is told that their
employment is ending, organizations should terminate all access to PHI and
sanitize employee-owned devices immediately rather than waiting until the
employee's last working day, says regulatory attorney Paul Hales of the
Hales Law Group. "Much damage can be done in two weeks," he says.

Insiders are often caught inappropriately accessing patient information
because the workers leave an electronic trail, he notes.

Mobile Device Risk
Organizations should also take steps to ensure the return of company-owned
mobile computing and storage devices, or the deletion of sensitive data at
the end of a worker's employment, experts note.

"We recommend that HR and/or IT uses a checklist to ensure assets are
returned and any work-related data that is not stored within company assets
is erased or destroyed," says Tom Walsh, president of privacy and security
consultancy tw-Security.

Personally owned devices - including smartphones, laptops, tablets and
portable media - may contain confidential information that belongs to the
organization, he notes.

"Most medium- and large-size organizations should have mobile device
management, which could facilitate doing a remote wipe of company data from
any personally owned device enrolled in their bring-your-own-device
program," Walsh says.

Terminating Access
Other important steps covered entities and business associates should take
when employees - including executives - leave their employment include
ensuring that their access to PHI has ended, Walsh says.

That includes checking for rules in the former executive’s email
account/mailbox.

"The executive may have set up a rule in email to automatically forward
certain emails to a personal email account," he says.

"Even after termination, the rule may still be in place because the
organization would likely change the password to the executive’s email
account/mailbox, but keep the account/mailbox active to ensure that key
communications are not missed."

Another person in the organization may have the responsibility for
monitoring incoming emails into the terminated executive’s mailbox, he
notes. "But if someone didn’t check the account to verify if the rules were
turned off, they may not even be aware of the auto-forwarding activity."

Entities also should remove remote access capability to cloud storage
services, Walsh says, and they should keep in mind that executives often
have more expanded privileges to access sensitive company/patient
information than other workers - even if they don’t always need it.

"The executive may not log in or seldom log in with those elevated
privileges, but they have them," and that access needs to be terminated
when the individual leaves the organization, he notes.

Regulatory Action
Regulators also have taken enforcement action in some cases involving
insider breaches.

For instance, one year ago, HHS' Office for Civil Rights settled an
investigation into a terminated employee’s theft of the PHI of 498
individuals from the New Haven Connecticut Health Department (see: City
Faces HIPAA Fine After Health Department Breach).

The city of New Haven in October 2020 agreed to pay a $200,000 financial
settlement and implement a corrective action plan in the wake of the 2016
incident, which involved a former city employee who continued to access
citizens’ health records - and shared her credentials with an intern -
after her job had been terminated.

The HIPAA breach was also the subject of a criminal case against the former
employee. In 2017, state prosecutors charged her with third-degree burglary
and larceny charges in the case.

"The danger of insider theft is extremely dangerous because insiders have
the 'keys to the kingdom,'" Hales notes.

"It is important to investigate and prosecute insider PHI thieves to learn
how the theft could have been prevented, punish the thief and set a
standard to deter other insider thefts."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211013/08f1f33a/attachment.html>