Last week, news reports emerged that the Beverly Hills, CA plastic surgery practice of Zain Kadri, MD, suffered an extensive insider data breach. A recently terminated employee is implicated. The breach included roughly 15,000 documents of patients from 16 states and five countries. Furthermore, the former employee is alleged to have posted pictures and videos of the patients, including while they were undergoing surgical procedures, to social media, and to have sent passwords and credit card information, by text message.
Originally hired as a driver and translator, the former employee’s responsibilities expanded, which put her in contact with confidential medical and personal records. She quit her job on March 13, 2017 amid embezzling allegations. The extent of her photo and information sharing was realized when the practice accessed her company phone.
In addition to her online sharing, physical files, records, and computer hard drives were stolen on May 1st from the company’s Palmdale location. The former employee is a suspect in the burglary investigation. The practice, which has seen a number of patients who are of an “affluential” status, is working to inform their clients of the breach. The notification process has been complicated because much of the contact information for many patients has been stolen.
Research has shown that improper insider access of records is a significant threat for data breach protection. HIPAA covered entities are required by HIPAA to implement controls to protect against this threat. HIPAA requirements, and best practices include the following:
- All software used should to maintain robust audit logs. The audit log should record details of who did what and when they did it. It is essential to review the quality of audit logging when selecting application software.
- Physical security measures, including intrusion detection, and video recording and monitoring has become much less costly. Employees who know that their actions are recorded are less likely to violate rules.
- The organization must have a proactive internal audit program. Due to the vast quantity of information in these computer audit logs, the only effective internal audit approach is to use a tool specifically designed to scan for suspicious behavior. Two vendors that provide such solutions include FairWarning and Spher. These tools use sophisticated algorithms to identify suspicious activity, and alert the HIPAA Privacy Officer. Whenever suspicious activity is identified, an investigation should be conducted to determine if a HIPAA violation occurred.
- Finally, it is essential to have an effective sanction policy to discipline employees who violate HIPAA confidentiality policies.
Research has shown that health care organizations who implement these controls can reduce insider violations by more than 80%.
To read more stories about data breach, click here.