Hospital Insider Breach Leads to LawsuitCase Calls Attention to Need to Detect, Mitigate Threats
A lawsuit filed against a former employee at an Atlanta pediatric healthcare system calls attention to the need to detect and mitigate insider threats, including those related to departing workers.
In its lawsuit, Children's Healthcare of Atlanta alleges a corporate audit adviser, who had announced plans to leave the organization, sent protected health information about an unspecified number of patients, as well as other sensitive corporate data, to her personal e-mail account.
The organization operates three hospitals and 20 other facilities that treat children and teenagers in the Atlanta area.
The lawsuit contains no allegations that the former employee, Sharon McCray, used the information for financial fraud or ID theft. It seeks a temporary restraining order to prevent McCray from using or disclosing the information, a court order for McCray to return the information and destroy copies of the data, plus unspecified damages.
A Common Problem
Security expert Mac McMillan, CEO of the consulting firm CynergisTek, says this type of insider incident is "not all that unusual."
Several studies suggest that a majority of those who leave their jobs take corporate information with them to their new employers, he says. "What was more alarming, though, was that they felt it was acceptable to do so," he adds.
McMillan says organizations can take several steps to prevent insider data breaches. "First, restrict users' access to the minimal necessary information they need. Second, deploy data loss prevention [technology] that enables you to proactively monitor what users are attempting to transmit and creates an accurate audit trail of what they have sent and where it's gone," he says.
DLP technology can enable organizations to set rules for what type of information can be sent to a personal address and the amount of information that can be transmitted in each session - "rules that, when enforced, can assist you in proactively seeing this type of activity before the information is gone," he says.
The Children's Healthcare lawsuit notes that for its employees to access PHI, they must use usernames, passwords and other credentials based on job responsibilities. Individuals who log onto the organization's computer network to access PHI are also logged and tracked, according to the lawsuit.
The suit, filed on Oct. 25 in the U.S. District Court for the Northern District of Georgia, Atlanta division, alleges that Sharon McCray misappropriated information "kept confidential" by the pediatric healthcare system.
The breached information includes "highly sensitive and confidential proprietary and trade secret information," including pediatric patient health information; numbers assigned to healthcare providers by the Drug Enforcement Agency that allow clinicians to write prescriptions for controlled substances; state license numbers of more than 500 healthcare providers; and attorney-client privileged information, according to the lawsuit.
The pediatric healthcare system alleges that McCray's alleged actions are in violation of a number of federal and Georgia state laws, including trade secret laws and HIPAA, and amounts to computer theft and computer invasion of privacy.
McCray on Oct. 16 announced her resignation effective Dec. 20, according to the suit. On Oct. 18, the organization discovered McCray had sent to her personal e-mail account patient PHI and other information belonging to the health system, the lawsuit alleges.
McCray's alleged e-mailing of information to her personal account started on Oct. 16 and ended on Oct. 21, when Children's Healthcare terminated McCray's access to corporate e-mail and placed her on a paid leave of absence.
During a meeting on Oct. 21 between McCray and her supervisors to discuss the e-mails, the suit alleges, McCray admitted sending the information to her personal e-mail account so that "she could use the protected information as backup records for her new employment with an unidentified employer to use as a reference."
Children's Healthcare on Oct. 21 demanded McCray return the information and access to her computer to ensure she was no longer in possession of the protected information, the suit states, and McCray agreed to return the information by end of day Oct. 22.
However, on Oct. 22, McCray sent an e-mail to the organization stating she had only sent the information to herself in order "to complete job functions" from home through the end of her employment on Dec. 20. A copy of that e-mail from McCray included in the lawsuit documents says that she "erred on the side of being over-inclusive so that [McCray] could have the necessary information available to me." She added that it would take her until at least Oct. 31 to review and return the information to Children's Healthcare. She also asked "which particular documents" should be returned.
At that point, Children's Healthcare immediately terminated McCray's employment and demanded return of all the organization's information and documents in her possession and destruction of copies.
Neither Children's Healthcare nor McCray responded to Information Security Media Group's inquiries about whether the information in question had been returned or destroyed by McCray by Oct. 31.
In a statement to Information Security Media Group, a Children's Healthcare spokeswoman said, "We can confirm that Children's has filed a lawsuit against a former employee for taking confidential and protected health information. The confidentiality of our patients and providers is of the utmost importance, and we are continuing to take every step to protect their information."
Healthcare organizations should keep in mind that, when it comes to inappropriate access to confidential information, it's not just departing employees that they need to worry about.
For example, a recent case in Florida illustrates how current employees can use patient information to commit fraud.
The Florida Department of Health in Orange County is notifying about 2,000 patients of its health centers about a data security breach. Federal agents investigating a tax fraud scheme discovered that the names, birthdates and Social Security number of patients treated at health department clinics had been inappropriately accessed by two department staffers.
The two workers, who were terminated by the health department, were charged on Oct. 24 with identity theft in the U.S. District Court, Middle District Florida, Orlando Division.
A statement on the department of health's website says: "The employees have been permanently removed from access to any and all Department of Health information. Medical information, bank account, credit card or other personal information were not part of the breach."