Rodeo Drive breachA major breach of PHI was announced by a Beverly Hills plastic surgeon’s office on Jun 1. There are so many things about this case from the fact that it involved a malicious insider to how many different ways proper HIPAA policies and procedures would have stopped it, if not prevented it completely. When there is a Rodeo Drive breach, you know celebrity patients records were breached in this case.  That alone may make it hit home with a lot of folks who haven’t worried too much about those protections until now.

We have talked about insiders as a major vulnerability a lot lately and this one really makes it big news! 15,000 files with medical and personal information in one Rodeo Drive breach. Added to that were also are pictures not part of the medical records including those of celebrity patients records breached without them even know the pictures existed!

HIPAA For MSPs by David Sims 10 Ways HIPAA Should Have Stopped Rodeo Drive Breach
00:00:00 00:00:00

In this episode:

Rodeo Drive breach

Speaking Engagements

New Boot Camp Dates being considered

Topic for today – Rodeo Drive breach

10 ways HIPAA should have stopped it

Rodeo Drive breach at plastic surgeon office

The scenario

  • Dr. Zain Kadri’s office
  • Poor office manager acting as a spokesperson dealing with the press
  • A staffer was hired in Sept 2016 as a driver and translator – no medical training
  • Gave her more duties including answering the phone and doing data entry
  • They also gave her a company phone to use for company business
  • She asked to watch surgeries which some staff apparently are allowed to do if the patient consents.
    • Patients generally assume that privacy thing is important in these places

When it starts to fall apart

  • On March 13, information came to light and they confronted her about evidence that she was embezzling she quit and walked out. Apparently, she was caught falsifying time records.
  • They asked her for her company phone and she said she lost it
  • Later the now ex-staffer shows up causing trouble and they told her she was trespassing
  • The police were called and she was escorted off the premises
  • During that event, she drops the phone that was supposed to be lost
  • It has a lock code on it but the office happens to be in communication with her ex who was able to give them the code to unlock the phone

Then it goes from bad to worse

  • On the phone, they find that she had taken pictures and video of patients and posted them on social media
  • She also had pics and vids of the doctor
    • While he was asleep in the car she took pics and posted them with filters of all kinds of childish things on Snapchat
    • She also sent those pics to his colleagues – makes me wonder there but….
  • She took pictures of patient IDs, patient records, post-op reports and even those before and after photos you see
  • She ALSO sent text messages to others with passwords and credit card information

Celebrity patients records included in Rodeo Drive breach

  • On May 1 the office was burglarized
  • The majority of the practice’s medical records were stolen both paper and digital.

…every bit of the medical records had been taken including back up hard drives and iPads with patient information

  • Someone with inside knowledge of where everything was kept had clearly done the deed according to the office manager.
  • Five people knew enough to do that much damage that easily
    • One was in Europe
    • Two were at LAX waiting to be picked up
    • The fourth one was on the way to pick them up
  • The fifth one was – you guessed it…..
  • Plus….. the only other things taken besides the medical records were some of her personal items that were still at the office.
    • Expensive digital cameras and plenty of prescription meds left alone
  • 15,000 cases from 16 different states and 5 countries
    • Did we mention that included celebrity patients records breached?
  • The office is working to notify all the patients
  • BUT… because of the theft, they no longer have contact information for all of them

Kadri’s office said that they have spent the last weeks contacting all of the patients who they can find info for, with reactions ranging from general anger to some thinking “if this info gets out into the public eye it could be seriously damaging to them.”  NY Daily News

HIPAA should have been there to stop this

As soon as I started reading about this Rodeo Drive breach, I started making a list of all the things that should have been in place if they were following HIPAA rules.  Many of these things could have stopped the whole thing from happening.  Others would have made the damage either to control and maintain.

  1. An incident response plan to lock things down as soon as they started finding problems
    • the office manager should be dealing with issues not talking to the press
  2. Physical safeguards that should have been in place to prevent an ex-staffer from breaking in that easily and taking ONLY the things important
  3. Mobile Device Management and Mobile Security policies that would have allowed them
    • to control the activity and the applications allowed on the company phone
    • locate it immediately when she said she had lost it
    • remote wipe it or lock it (which is better in this case)
  4. Employee background checks and training may have raised a red flag
    • She probably doesn’t even realize she can go to prison for the HIPAA breaches – if it matters who knows
    • If you hire someone as your driver and then you give them more access without vetting, training, testing, and watching closely you don’t have any procedures in place to protect you from insider issues
    • So much training either wasn’t done or was ignored on things like minimum uses and disclosures and social media policies
  5. Limitations on uses of mobile devices in patient treatment areas – there is no reason for a company phone to even be in the room with someone who isn’t clinical especially
  6. Offsite backups so the only backup can’t walk out the door and you lose contact information
  7. Encrypted backup on the external hard drive – the notifications wouldn’t be required if it was properly encrypted
  8. Audit of access to patient records would have picked up the access she needed to get all those pictures.
  9. Employee termination policies and procedures to make sure they are locked out of everything and all the ability to access any part of the office or data they could have access to before.
  10. As a driver why would she have access to so much stuff anyway? Her job did not require so much access which is what gets people in trouble for thinking this kind of stuff won’t happen to me.

Are there more? If you think that insiders can’t wreck your business call up these folks in a few weeks. Who knows what will be left of this practice in one year and it all started by hiring someone as a driver and translator in September. In 6 short months, BOOM.

This Rodeo Drive breach took so many turns it is hard to keep up with it more than most we see.  However, many of those turns could have been prevented by properly following the HIPAA rules that have been in place for 12 years now.  They may seem overwhelming at times but clearly, they are needed in the world we live in today.  People are crazy!