10-Year Insider Breach Identified by Texas Health System

Hackers are responsible for the majority of healthcare data breaches; however, healthcare providers must ensure that they have safeguards in place to protect against insider threats and have monitoring capabilities to detect unauthorized access to patient records promptly.

Numerous data breaches have been reported where healthcare employees have been discovered to have accessed patient records out of curiosity, such as when a famous person is admitted to a hospital. Healthcare employees are often found to have accessed the records of patients not under their care, including friends and family members. Malicious insiders access patient data to sell to identity thieves or to cause harm to individuals.

HIPAA requires healthcare providers to ensure that each employee has unique credentials, and health record access logs must be maintained and monitored. Should any employee access patient records without authorization, the unauthorized access can be detected rapidly, and the harm will be minimized. All too often, however, healthcare providers discover insider breaches that have been ongoing for months, and in some cases, years.

This month, one such breach has been announced by Harris Health, a Texas health system. Notification letters are now being mailed to approximately 5,000 patients after an employee was discovered to have accessed their electronic health records without a legitimate work reason. Alarmingly, the unauthorized access had been ongoing for more than a decade.

According to Harris Health, the insider breach was discovered on February 10, 2021. A digital forensics firm was engaged to investigate and determine the extent of the unauthorized access. The investigation revealed that access had been ongoing since January 4, 2011. Law enforcement was notified, and Harris Health learned from the FBI investigation that the employee had disclosed patient data to unauthorized individuals. The employee was terminated for the HIPAA violation.

Notification letters are only now being sent to the affected individuals due to a request by law enforcement to delay issuing notifications so as not to impede the investigation. The investigation was extensive, as notification letters were delayed for four years. It is unclear whether the former Harris Health employee has been charged, and the reason for the unauthorized access and disclosures has not been made public.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Harris Health said it was not possible to determine which patients had their protected health information disclosed to unauthorized individuals, so notification letters are being sent to all individuals potentially affected. The data potentially disclosed includes names, dates of birth, addresses, email addresses, telephone numbers, medical record numbers, clinical information, diagnoses, medical histories, medications, immunizations, provider names, dates of service, and insurance information. Some patients’ Social Security numbers were also accessed. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

Given the long duration of the data breach, it appears that routine checks of access logs were not being performed, or that monitoring was not comprehensive. To ensure that these types of incidents are detected promptly, healthcare providers should implement monitoring tools that generate alerts of potential unauthorized activity. AI-powered systems can identify and flag anomalous activity to allow further investigation. It is also important to clearly explain to the workforce in HIPAA training sessions about the importance of respecting patient privacy and the rules regarding medical record access. Employees should be aware of the sanctions policy and should receive annual refresher training.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/