Worker Inappropriately Accessed Patient Records for 15 Years – Source: www.govinfosecurity.com

Governance & Risk Management
,
Insider Threat
,
Privacy

Cleveland Safety-Net Healthcare Organization Says Employee ‘Disciplined’ for Breach

Marianne Kolbasuk McGee (HealthInfoSec) •
June 28, 2023    

A Cleveland-based healthcare system is notifying a not-yet-undisclosed number of individuals about an incident involving unauthorized medical records access by an employee over the past 15 years.

See Also: Live Webinar | The Secret Sauce to Secrets Management

MetroHealth, Cuyahoga County, Ohio’s safety-net health system, which includes four hospitals and dozens of other care centers, said in a statement Monday that the inappropriate access by an employee occurred over multiple dates from 2008 to 2023. The breach was discovered on Tuesday, the entity said.

Patient records accessed during that time included names, birthdates and clinical information. “The employee did not have access to financial information such as Social Security numbers or banking information,” MetroHealth said. “To date, we have no evidence that any information has been misused as a result of this incident,” according to MetroHealth.

MetroHealth took disciplinary action “immediately” against the employee in accordance with its human resources policies, the statement said. “Additional steps are also underway to strengthen privacy processes, procedures and training across the institution to prevent similar incidents from occurring in the future,” the organization said.

MetroHealth did not immediately respond to Information Security Media Group’s request for additional details about the incident, including the number of people affected, the job role of the employee and the type of disciplinary action taken against the worker.

Serious Problem

The MetroHealth incident spotlights the serious privacy and security issues many organizations face involving insiders, said regulatory attorney Rachel Rose. “Just because financial information was not accessed does not mean that the individual did not utilize the information,” she warned.

That has been the case in other notable incidents involving insider breaches. For example, in a federal prosecution case in Tennessee, five former employees of Methodist Le Bonheur Healthcare in Memphis recently pleaded guilty to criminal HIPAA violations in an alleged scheme involving the sale of motor vehicle accident patient information to third parties, Rose said (see: 6 Plead Guilty in Criminal HIPAA Scheme at Health Entity.

“Snooping is also one of the main activities that has led to criminal HIPAA violations,” she said. “For example, a UCLA researcher pleaded guilty to illegally accessing and viewing patient records, including those of his co-workers and celebrities.”

In 2010, a physician at UCLA Health System was one of the first individuals to be prosecuted for accessing patients’ medical information without a legitimate purpose.

Other healthcare entities also have suffered incidents of long duration involving insiders. In 2014, UMass Memorial Medical Center reported a breach affecting about 2,400 individuals that involved unauthorized access to patient records over 12 years.

Sometimes the number of records is eye-popping. In 2018, an employee of Adams County, Wisconsin allegedly installed keylogging software to inappropriately access county systems, including protected health information, over a five-year period, affecting more than 258,000 individuals.

“Taking a historical perspective, snooping and utilizing data for either malicious harm or remunerative purposes for personal gain opens the door to potential civil and criminal actions,” Rose said.

Often these types of insider compromises boil down to a lack of workforce training and technical safeguards, she added.

According to Rose, “Access logs should be both implemented and monitored regularly, and the fact that this conduct went on at MetroHealth since 2008 is inexcusable.

“An audit of access logs should be flagging all employees, including ancillary care employees, patient transport personnel, billing and others on a regular basis. Pulling this person’s name should have provided all access [allowed for the employee], and the pattern should have been caught a lot earlier.”