The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

L.A. Medical Center Employee Causes 4,859-Record HIPAA Breach

Posted By on Jun 19, 2015

A 4-year HIPAA data breach has been reported by The University of California Irvine Medical Center after the healthcare provider discovered an employee had accessed nearly 5,000 patient records without authorization.

Shocking Discovery Could Prove Expensive

 

News of the discovery of a data breach is enough to bring out a cold sweat in many a CISO; news that the breach has been allowed to persist for 4 years unchecked is certain to cause sleepless nights.

The length of time a breach is allowed to persist has major implications for the cost of remediation. Credit and identity theft protection may need to be extended to two years or more and breach fines could be considerable.

The Department of Health and Human Services’ Office for Civil Rights can levy a fine of up to $1.5 million per violation category discovered. That figure is then multiplied by the number of years the violation was allowed to persist.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Healthcare providers can implement a number of security measures to stop employees snooping on records and stealing customer data, but the risk is impossible to eliminate. The OCR will therefore not fine every organization that employees a rogue employee. However, the OCR investigates 100% of 500-record+ data breaches and a hint of a HIPAA violation can trigger a full compliance assessment.

Failure to Conduct Full PHI Access Audits

In this case, the employee was able to get away with improperly accessing medical records for a period of almost four years, during which time the employee was able to view 4,859 medical records. UC Irvine Medical Center will now have to explain to the OCR why it took so long for the breach to be discovered.

The HIPAA Security Rule demands that covered entities conduct a comprehensive risk analysis to identify potential security vulnerabilities. Hospital employees are a security risk and steps should have been taken to reduce the opportunities for employees to access records.

Access should also have been monitored to allow swift action to be taken if PHI was viewed without authorization. However the accessing of records was not discovered by an internal audit. A person “who was not a patient” tipped off the hospital”. This suggests that access logs were not being checked at all.

Patient Records Improperly Accessed Since 2011

 

An employee of the medical center was provided with access to healthcare records in order to complete some work duties. The improper accessing of records started in June, 2011. In March, 2015, the hospital discovered the employee had been accessing records of patients without authorization.

According to a hospital spokesperson, John Murray, the incident has now been investigated and a forensic investigation conducted of the employee’s email account and desktop computer. He said there was no evidence to suggest the employee downloaded the information or emailed it to a third party.

No Social Security numbers, driver’s license numbers or financial information appears to have been viewed or copied, suggesting the records were accessed out of curiosity rather than for personal gain. The information could have been copied manually.

 

Patients Placed at Risk of Suffering Identity Theft

 

The information that was potentially viewed and copied includes patient names, addresses, dates of birth, medical record numbers, test orders, test results, medications prescribed, employment status and physical characteristics such as height and body weight.

Since there is a risk that some of the information has been used inappropriately, UC Irvine Medical Center will be offering a year of identity theft and credit monitoring services without charge to all affected patients.

Patients are not the only ones at risk. The information gained by the employee could be used to conduct highly convincing – and highly effective – spear phishing campaigns. Since physician’s information has been compromised, it is conceivable that they could become targets to allow cybercriminals to gain access to hospital databases.

A criminal investigation is underway and law enforcement officers have access logs, which are being checked for patterns. Breach notification letters have been sent to all affected patients this week and the employee “has been disciplined” and “no longer has access to the hospital’s computer systems.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist