Protected health information (PHI) can be very alluring to insiders. A recent privacy breach at a midwest US healthcare system highlights the snooping insider.
SSM Health, a St. Louis, Missouri-based not-for-profit health system, recently notified 29,000 patients of a privacy breach that might have exposed their medical records.
In a news release posted December 29 on its website, SSM Health provided the following details of what happened:
- On October 30, SSM discovered that a former employee in the customer service call center inappropriately accessed medical records of SSM patients between Feb. 13 and Oct. 20. This incident constituted a privacy breach under the federal Health Insurance Portability and Accountability Act (HIPAA).
- The employee had access to PHI, including demographic and clinical information, but did not have access to financial information such as credit card numbers.
- SSM determined the former employee accessed patient information from multiple states, but focused on records of a small number of patients with a controlled substance prescription and a primary care physician within the St. Louis area.
- SSM decided to notify all 29,000 patients whose records were accessed by this individual, even if the access may have been for legitimate reasons.
In response, SSM has:
- Notified the Office for Civil Rights and local law enforcement.
- Required an additional identifier when patients request prescription refills from the call center.
- Strengthened employee access monitoring tools.
- Provided identity theft protection at no charge to affected patients upon request.
HIPAA Journal noted that this is the second incident reported by SSM this year involving breached PHI.
Response and Lessons Learned
The response by SSM Health was comprehensive in terms of information shared and resulting actions taken (such as offering credit monitoring). However, there was a 2-month delay between discovery of the data leak and the announcement. In addition, the former employee was inappropriately accessing data many months before the leak was discovered.
In its response to the data leak, SSM highlighted a key tool in stopping snooping insiders: employee monitoring tools. Employee monitoring software gives organizations the ability to:
- Analyze behavior to determine normal and anomalous behavior
- Alert on activities that deviate from normal behavior and take action to block the activity
- Capture visual evidence of employee activity for compliance or audit purposes
Employee monitoring software provides timely notification of a breach and gives you the ability to intervene quickly to stop a snooping insider. Click below to learn more about Teramind.