Implications of Internal Data Theft at Hospitals: Tips for Preventing and Handling Data Breaches by Employees

Carlton Fields
Contact
Internal data theft by employees at hospitals and health systems is becoming an increasing concern. Criminals are targeting low-level employees who have access to patient information at the hospital for the purpose of stealing the data for profit. What should you look for if you are trying to root out a potential data breach or prevent these kinds of breaches? What steps should you take if a breach occurs?

Data security and privacy attorneys See more +

Internal data theft by employees at hospitals and health systems is becoming an increasing concern. Criminals are targeting low-level employees who have access to patient information at the hospital for the purpose of stealing the data for profit. What should you look for if you are trying to root out a potential data breach or prevent these kinds of breaches? What steps should you take if a breach occurs?

Data security and privacy attorneys Gavrila Brotz and Marissel Descalzo provide tips for uncovering data breach threats, best practices for conducting an internal investigation, what to do when a breach occurs, preventive measures, and cyber litigation trends in this 20-minute CFJB on Cyber podcast.

***

TRANSCRIPT:

Marissel Descalzo: Thank you. Recently there’s been an increase in internal data theft. Data breaches are not just the result of external threats. We are seeing an increased trend in hospital and health system employees who are now fully accessing and stealing patient information. The purpose of this is to sell the information and the reason is, it’s very profitable. Criminals are targeting low-level employees who have access to patient information such as people in the medical records department; transporters; people in admissions. Most of time these individuals are either already employed by the hospital or some may be seeking employment for the specific purpose to assist these data breach thieves.

We’ve seen positions that have been targeted either hospital-based or even people seeking positions with third-party vendors in order to get access to this information.

Gavrila Brotz: So what do you look for if you are trying to root out a potential data breach or prevent these kinds of breaches? Look for numerous general searches that are being performed by hospital employees or employees of vendors, searching for patients’ names or their dates of birth. Numerous successive searches in modules that provide you with demographic information without entering into a patient’s record or high volume of printing of demographic information or financial information of patients. For example, their face sheets or other screenshots with patients names, addresses, dates of birth and/or their Social Security numbers. It’s very common that these data breaches are ultimately found when an individual is pulled over by the police for a traffic stop and the policeman notices a large stack of face sheets from a hospital and it turns out that that’s what’s been going on. So the key is to find this before the traffic stop, to find this internally by seeking out and finding these kinds of searches or printing that’s going on by employees. So you want to identify them and investigate.

Some additional preventative measures that you can take are to prohibit employees’ access to patients’ full Social Security numbers, as much as possible. And you can also restrict employees by requiring all of their personal belongings, including their own phones or devices, to remain in a secured area to be retrieved only before they leave and to have them sign and execute acknowledgments verifying their attendance at routine HIPAA training and that also acknowledge their understanding to abide by regulatory requirements. As far as vendors are concerned, it’s important to limit their employees’ access to information or entire modules that are essential for the performance of the vendor’s job duties. And they should also be required to execute agreements, which indicate their acknowledgement and compliance with HIPAA requirements and require them to be responsible for safeguarding any information that can be extracted from the computer system.

Marissel Descalzo: Once you recognize you have a problem, the next step is probably conducting an internal investigation. There’s top rules that every institution should follow when they’re conducting an internal investigation. The first thing is decide whether the internal investigation will be conducted by in-house counsel or by outside counsel. The next step is whether you have to issue a document hold, or a litigation hold sometimes it’s referred to, and whether you need to stop the destruction of certain documents. You need to get with your IT department to discuss this. You need to narrow the scope or identify the scope of the investigation and then narrow the scope of the investigation. You don’t want to do a broad sweeping investigation in the event there is a later criminal case or class action that would require disclosure of all this information and maybe it’s things that your institution does not want to disclose.

Read full transcript at http://www.cfjblaw.com/internal-data-theft-hospitals-podcast/ See less -

Embed
Copy

Other MultiMedia by Carlton Fields

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:

Carlton Fields
Contact
more
less

Carlton Fields on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide