Cancer Center Breach Involves ID TheftSecond Riverside Health System Breach in Recent Months
Riverside Health System, a healthcare provider that operates several hospitals and other care facilities in Virginia, is notifying 2,000 cancer patients about a breach that involves alleged identity theft. It's the second data breach involving an insider at Riverside since last December.
The latest incident involves alleged ID theft by a former medical assistant who worked at Riverside's Cancer Specialists of Tidewater oncology practice from August 2012 to June 2014, a Riverside spokesman tells Information Security Media Group.
The Chesapeake Police Department notified Riverside on June 6 that it was investigating several ID theft cases, and all the victims were patients at the cancer practice, the spokesman says.
To date, 13 people have reported ID theft to the police. But Riverside is notifying all patients cared for by the medical assistant during her tenure at the cancer center, he says. Also being notified are the next-of-kin of deceased patients cared for by the worker.
The medical assistant, who has since been fired by Riverside, was authorized to access the data of patients treated at the cancer care practice, the spokesman points out. Riverside is assisting police in the ongoing investigation, he says.
Another Riverside breach last year affecting 900 individuals involved a different former employee at another facility who inappropriately accessed records of patients at multiple Riverside practices between September 2009 and October 2013, the spokesman says. The employee in that breach was also fired by Riverside. Since that earlier incident, Riverside has been rolling out breach prevention and monitoring tools from vendor Fairwarning.
But because the medical assistant suspected of ID theft in the latest breach incident was authorized to access the patients' records, it was difficult to detect her alleged ID theft activity, he says.
In the wake of the latest breach, Riverside is working with Fairwarning to expand Riverside's log audit capabilities with more automatic alerts to identify inappropriate access and help protect patient information, he says.
Also, Riverside is considering expanding its employee background-check program to include all workers. Currently, background checks are done only for some workers, such as those with certain professional licenses, he says.
Other details in the latest case are under investigation, he says. And there's no evidence of ID theft in last year's breach.
Patients and staff of the cancer practice are being offered free credit monitoring, Riverside says. The former medical assistant suspected in that ID theft cases had access to patient names, addresses, Social Security numbers, credit card numbers and other personally identifiable information, the spokesman says.
Healthcare organizations can take several steps to help prevent inappropriate access to records and ID theft, says Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire. "In some cases, background checks prior to employment may be revealing of questionable behaviors that could impact data security," he says. "At some point there has to be a trust factor with regards to the employees that interact with patient information as part of their job responsibilities. Since there are numerous ways of extracting data, some conventional - such as reports and export - and others unconventional, like screen prints, the simplest control is to restrict access as much as possible to just those that have a business need."
Some organizations create secure 'zones' where electronic protected health information cannot be extracted, he notes. "This design is based on a virtual desktop infrastructure where data is isolated and highly secured," Hicks says. "As an alternative, we've seen organizations implement data loss prevention solutions as a way to restrict the flow of ePHI in unauthorized ways, such as to USB storage devices and e-mail. On the detective side, this case identifies the importance of having good logging and monitoring controls."
Privacy and security attorney Kirk Nahra, a partner at Wash. D.C. law firm Wiley Rein LLP, also recommends restricting staff access to records based on their role and the sensitivity of data. "Social Security numbers are very high risk ... there're very limited reasons why people need access to that," he says.
Also, it's important for healthcare entities to communicate and enforce privacy and security policies. "In the best practices area, that's a mixture of audits, training, investigations, responding to complaints and sanction policies-making to ensure employees know [inappropriate access] will not be tolerated, even if it's for an innocuous reason like checking on [the records of] Aunt Sally," he says.