Healthcare News & Insights

2 hospital employees stole, sold protected health information

Healthcare organizations face many security threats from outside hackers looking to steal valuable protected health information. But there may be insider threats to worry about, too. 

That’s what the University of Miami Hospital learned recently after suffering a data breach that’s being blamed on two former employees.

Allegedly, the employees stole so-called “face sheets” that are created during the patient registration process. Those documents contain patients’ names, address, dates of birth, insurance policy numbers and the reason for the patients’ visit. The employees may have sold the information to a third party for the purposes of committing medical identity theft, the hospital said in a statement.

It’s unclear how many records were stolen, but patients who visited the hospital between October 2010 and July 2012 may have been affected.

The hospital was first notified of the data breach by police and the two employees were immediately terminated after admitting to “improper conduct,” the statement said.

Insider threats are becoming a common data security risk in all industries. Often, current or former employees work with cybercriminals and use their access privileges to steal and sell sensitive information. In another recent data breach incident, an emergency room employee was caught stealing patient information and selling it to lawyers and chiropractors who used it to try and attract new customers.

Here are some steps health IT departments can take to reduce the danger of insider threats:

  • Conduct thorough background checks for any new hire that has access to protected health information. That includes IT employees who will be able to access tech systems holding sensitive data.
  • Give employees the least amount of access to data that they need to do their jobs. Also, regularly audit who has access to what data to make sure no one keeps unnecessary access rights after their duties change.
  • Have a process for quickly communicating personnel changes. It’s important to remove access rights as soon as employees leave the organization. If that isn’t done, former staff members can be a bigger security threat than current employees.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.