All the news about ransomware and hackers usually gets the biggest headlines. But, the ones that fly under the radar may be something you should pay more attention to rather than the big splashy news. Insiders usually don’t have to work hard to plot ways to break into your data, you have invited them in and given them access. A damaging assumption is that you don’t have to worry about your insiders.
In this episode:
HIPAA Boot Camp
Insiders threat examples
Lately, there have been several news stories directly related to insiders doing things to expose PHI. Sometimes it seems to be a mistake while other cases are clearly criminal intent.
644 patients notified about a breach when they found that information was sent on unencrypted email.
This one is likely lack of training or just a mistake. Often these are the mistakes that occur when someone is in a hurry. It doesn’t alleviate the requirement to report it and treat it just like any other breach, though.
St Charles Health System – Oregon
A single employee accessed over 2,459 patient records out of curiosity. No need to do it but must have just been bored.
“She had no explanation other than she was curious,” Nicole Hough, St. Charles’ vice president of compliance, said.
It went on for years, too. From October 2014 until it was discovered in Jan 2017. They caught on in January doing a random manual medical record access log audit. Clearly, just doing manual audits left them wide open to this problem.
“This is a caregiver who does have legitimate access to electronic medical records,” Hough said. “In an audit that we did, that access was inappropriate with one specific patient. We did an investigation into that access, which led us to do further investigation.”
This problem is exactly why products like SPHER are not only a good idea but becoming an absolute necessity. You can’t edit every record every day without a tool like this. SPHER would have almost certainly caught that activity before the end of 2014.
She did sign an affidavit that all she did was to look around.
There was a similar case in Virginia at VCU Medical Center. Curiosity again without malicious intent. This time the hospital’s random audit found that community physician offices and vendors were doing the snooping. They caught it in Jan 2017 the same was as above. It involved 2700 patients from Jan 2014 to Jan 2017.
Curiosity kills the cat, as they say.
Intern snooping case in Canada
While this case isn’t an US one, the scenario is certainly possible. But, the final ruling in the case was also interesting. It is a great example how insiders may not be trained to handle the data properly when they are brought in for a specific reason.
A student gets assigned to the family health team. Canada’s primary care? She proceeds to check out records of family, friends, local politicians, staff of the clinic and other individuals in the community. This went on from Sept 2014 until March 2015. 139 patients. She was fined $20K plus a $5K victim surcharge. Not sure what that is in Canada.
But, the reason it made this list is the quote from the judge when she handed out her decision.
“Overall, the victim impact statements reveal a lack of trust and a sense of reluctance to share information with future health care providers. I believe this is a truly significant factor, given that we all must believe that when we go to the doctor for our physical illnesses and our mental health illnesses, that we will be able to trust our own health care practitioners and their team and that what we tell them will be respected and held in confidence so we receive the treatment and care we deserve.”
Illinois Paramedic drugging all his patients according to charts
Jason Laut, a former paramedic who was also a supervisor, dispatch manager and systems administrator at an Illinois ambulance company, has been indicted in a federal identity theft and fraud case involving allegations he altered patient records as part of a scheme to steal narcotics from a local hospital.
Another case that went on for years. 2013 to 2015. He would watch for runs that involved patients whose condition could have prevented them from the use of Fentanyl, Morphine, etc. Also watching for any that refused treatment and transport.
Whenever he needed drugs, he waited for one of those to come through and he would update the charts to show that a doctor had authorized the use of the drugs. Then, pocket the drugs himself. He was a supervisor who had access to doing these things. Your problem insiders can be those in charge just as the newest person hired.
Three individuals pleaded guilty this week in connection with a health care fraud scheme involving two Brooklyn, New York clinics that caused approximately $55 million in false and fraudulent claims to Medicare and Medicaid.
Olga Proskurovsky, 49, and Yuriy Omelchenko, 49, both of Brooklyn, New York, each pleaded guilty to one count of conspiracy to commit health care fraud. Pursuant to their plea agreements, the defendants agreed to forfeiture money judgments in the amount of $17,216,687. Isak Aharanov, 42, of Brooklyn, New York, also pleaded guilty to two counts of conspiracy to commit money laundering and one count of conspiracy to defraud the United States. The defendants pleaded guilty before U.S. District Judge Roslynn R. Mauskopf of the Eastern District of New York.
According to the defendants’ admissions made as part of the plea agreements, Proskurovsky served as a medical biller and Omelchenko worked as a therapist manager at Prime Care on the Bay LLC (Prime Care) and Bensonhurst Mega Medical Care P.C. (Bensonhurst). The defendants admitted that they assisted in a scheme to defraud the Medicare and Medicaid programs in which patients subjected themselves to medically unnecessary health services, including physical and occupational therapy, provided by unlicensed staff. To conceal the scheme, Proskurovsky and Omelchenko admitted that occupational and physical therapists falsified patient charts and medical billing documents.
As part of his plea agreement, Aharanov admitted that he and co-conspirators paid patients in order to induce them to come to Prime Care, Bensonhurst and Total Rehab and Physical Therapy P.C. Aharanov further admitted that he used a bank account opened in the name of one of his companies to launder funds and generate the cash needed to make these illegal kickback payments.
Fifteen other individuals have pleaded guilty in connection with the scheme.
All of this brings us to a bigger concern
It isn’t just the breaches occurred but the thing I have spoken about many times appears to be happening too.
I have talked many times about the importance of protecting information. If we want to heal people and keep them from getting really sick, they must be able to tell us things. If we don’t protect this data we could reach a whole new crisis in healthcare — not enough information provided by the patient to treat them properly.
The patients are the core of this business. They are very frustrated with the lack of interoperability of information. But, the sheer volume of data breaches makes them also terrified to see more data moving around. The industry as a whole has multiple black eyes with much of the public.
- You can’t protect my data
- You aren’t even sending it around as much as you should yet and can’t protect it.
While we discuss all kinds of threats to privacy and security in your organization, clearly, insiders can do the most damage to your patients by using the information they were given access to in order to do their job. That phrase of the devil you do know…, maybe it is better to deal with that devil but only if you realize the devil is actually there.