Share this article on:
A 4-year HIPAA data breach has been reported by The University of California Irvine Medical Center after the healthcare provider discovered an employee had accessed nearly 5,000 patient records without authorization.
Shocking Discovery Could Prove Expensive
News of the discovery of a data breach is enough to bring out a cold sweat in many a CISO; news that the breach has been allowed to persist for 4 years unchecked is certain to cause sleepless nights.
The length of time a breach is allowed to persist has major implications for the cost of remediation. Credit and identity theft protection may need to be extended to two years or more and breach fines could be considerable.
The Department of Health and Human Services’ Office for Civil Rights can levy a fine of up to $1.5 million per violation category discovered. That figure is then multiplied by the number of years the violation was allowed to persist.
Healthcare providers can implement a number of security measures to stop employees snooping on records and stealing customer data, but the risk is impossible to eliminate. The OCR will therefore not fine every organization that employees a rogue employee. However, the OCR investigates 100% of 500-record+ data breaches and a hint of a HIPAA violation can trigger a full compliance assessment.
Failure to Conduct Full PHI Access Audits
In this case, the employee was able to get away with improperly accessing medical records for a period of almost four years, during which time the employee was able to view 4,859 medical records. UC Irvine Medical Center will now have to explain to the OCR why it took so long for the breach to be discovered.
The HIPAA Security Rule demands that covered entities conduct a comprehensive risk analysis to identify potential security vulnerabilities. Hospital employees are a security risk and steps should have been taken to reduce the opportunities for employees to access records.
Access should also have been monitored to allow swift action to be taken if PHI was viewed without authorization. However the accessing of records was not discovered by an internal audit. A person “who was not a patient” tipped off the hospital”. This suggests that access logs were not being checked at all.
Patient Records Improperly Accessed Since 2011
An employee of the medical center was provided with access to healthcare records in order to complete some work duties. The improper accessing of records started in June, 2011. In March, 2015, the hospital discovered the employee had been accessing records of patients without authorization.
According to a hospital spokesperson, John Murray, the incident has now been investigated and a forensic investigation conducted of the employee’s email account and desktop computer. He said there was no evidence to suggest the employee downloaded the information or emailed it to a third party.
No Social Security numbers, driver’s license numbers or financial information appears to have been viewed or copied, suggesting the records were accessed out of curiosity rather than for personal gain. The information could have been copied manually.
Patients Placed at Risk of Suffering Identity Theft
The information that was potentially viewed and copied includes patient names, addresses, dates of birth, medical record numbers, test orders, test results, medications prescribed, employment status and physical characteristics such as height and body weight.
Since there is a risk that some of the information has been used inappropriately, UC Irvine Medical Center will be offering a year of identity theft and credit monitoring services without charge to all affected patients.
Patients are not the only ones at risk. The information gained by the employee could be used to conduct highly convincing – and highly effective – spear phishing campaigns. Since physician’s information has been compromised, it is conceivable that they could become targets to allow cybercriminals to gain access to hospital databases.
A criminal investigation is underway and law enforcement officers have access logs, which are being checked for patterns. Breach notification letters have been sent to all affected patients this week and the employee “has been disciplined” and “no longer has access to the hospital’s computer systems.”