When it comes to securing anything the weakest link in the chain is always people. People are the ones who make mistakes, over-share, and are also the criminals. This episode talks about what people can manage to do so you have to think of all kinds of things outside the norm.
University of Pittsburgh MC BA breach after being hacked the year beforeEmployee of the billing service call center copied personal information from the billing system. 2,259 patients were then passed on to a third-party. Notification that it happened came from FBI. Last year UPMC was hacked and employee information taken for all 62,000 employees. Over 800 employees reported ID theft.
Oakwood Healthcare worker fired for HIPAA-violating Facebook commentsTerminated after posting disparaging comments about a patient on her Facebook page. Worked at a hospital that had to treat a suspect in a police shooting. Her posts were pointing out her disgust in having to treat him. It is still a violation.
Roanoke, Va. Carilion Clinic – 14 employees admitted snooping Found it by random log reviews. Previously, only checked on patients where a big new story was happening.
Physician Suffers Second 2015 Data Breach Break-in in Jan requires breach notification to 350 patients. Break-in again in March they got computers and patient charts. The computers were not encrypted and they had patient info OTHER THAN THE LETTERS to the 350 patients. This time the total patients involved are 1,342. At this point they hire a security guard who stops a third break-in. The doctor is moving their office to a new town. Encryption could have saved a lot here, increased security after the first break-in would be the most obvious requirement. That is a simple decision that was just not made. Now over 4 times the number of patients are involved.
Doctor convicted of illegally accessing medical records Doctor having an affair and looked at the mistress’ medical records. Looking to see if she had STDs. Plead guilty in federal court and kept his license but must be monitored.
Medical is years and years behind other industries on security requirements and criminals are figuring that out. Plus, those that are way ahead are getting breaches like Home Depot, Target, and more. In all those cases there was a person somewhere involved in the process, in some cases several people made mistakes are took the wrong action.