Employee misbehavior using access privileges for the purpose of identity theft has led to yet another data breach. Notice was sent to more than 2,400 patients at UMass Memorial Medical Center (UMMMC) in Worcester, MA regarding potential identify theft.
On March 6, 2014, the hospital learned that 4 patients’ data had been accessed and used to open fraudulent commercial accounts–that is, for identity theft–by a former hospital employee sometime between May 6, 2002 to March of 2014. The hospital began an internal investigation in March that lasted for 2 months and led to the discovery that an additional 2,400 patient records that were inappropriately accessed by the same employee during the course of his or her employment.
In a statement released by UMMMC yesterday, they state that while the hospital is sending these additional patients a letter to inform them about the breach, they have “no indication of any misuse of this information.” UMMMC has set up an incident response hotline for patients who suspect they have been affected to call and is also offering a free year of credit monitoring services to affected patients.
Inappropriate use of access privileges at hospitals is quite common. Statistics from vendor FairWarning indicate that hospitals without a program of rigorous privacy auditing experience approximately 1 breach for every 200 patient admissions. Most of these involve curious employees who look at records of friends, family and neighbors. A smaller percentage result in more serious activity such as medical identify theft, credit card fraud, IRS tax fraud and/or fraudulent medical billing.
Many healthcare organizations are purely reactive with their compliance program and simply respond to complaints. Eagle recommends a more proactive approach that includes carefully developed auditing strategies that detect suspicious behavior. Additionally, Eagle recommends making sure that any and all software includes robust audit trails and is properly configured.
