On April 24, Nassau Radiologic Group Medical Associates (NRAD) in Long Island, New York discovered that a radiologist employed by the organization had accessed the billing systems without authorization and acquired the protected health information of almost 100,000 patients.
This included the patient’s names and addresses, dates of birth, social security numbers and health insurance, diagnosis codes and procedure codes. According to the letter being sent to the 97,000 patients, there is “no indication that the information has been disclosed to or used by any third parties” and also there is no evidence that patients’ financial and/or credit card information was accessed.
The breach notification letters sent to patients advised them to contact one of the three major credit bureaus to place a fraud alert on their credit report and were also encouraged to download a free credit report to look for any fraudulent or unidentified charges. In other words, NRAD did not to include an offer to pay for credit monitoring services. However, another blogger (see https://www.databreaches.net/radiologist-bypasses-billing-system-computer-security-and-acquires-97000-patients-info-from-nrad-medical-associates/) reported that patients who called to ask for credit monitoring service were obliged. HIPAA requires that organizations mitigate, although the regulations do not explicitly detail what mitigation is required.
The suspected employee was no longer employed by the organization at the time of the discovery, but the authorities have been informed of the suspected misconduct. Per other media reports, NRAD Medical Associates is tight lipped about the identity of the employee or the circumstances of his/her departure. If we were to speculate, the radiologist may have taken information on recent patients in order to solicit them at a competing practice.
In the patient Q&A that was enclosed with the letter, NRAD indicated that the number of patients affected represents 12% of the 800,000 patients served over the last 20 years. If our theory of motive is correct, the 97,000 records may represent the recent patients whose addresses and contact info are more likely to be current.
It is difficult to prevent inside jobs, especially from a trusted employee such as a physician. HIPAA requires, and we recommend, that practices have an 1) an auditing program in place to identify suspicious behavior and 2) an employee sanction program to discipline offenders.
Regarding the auditing program, one element to include is a way to detect the extraction of large numbers of patient records. This breach would have been detected with such an audit strategy. To implement auditing in large organizations such as hospitals or insurers, automated tools such as offered by vendor FairWarning are necessary for a robust auditing program.
