identity-protection-blog-clinic-data-breach-an-inside-job

It’s not only professional hackers who can wreak havoc on sensitive personal data — employees can be just as dangerous.

Earlier this year, a staff member at Children’s Medical Clinics of East Texas in Kaufman took documents and a screen shot of records that exposed the protected health information of 16,000 patients, according to a letter from the medical clinic to parents and guardians.

What’s the story?

The staff member took home business documents and didn’t return them. That same individual also provided an unauthorized screenshot of patient records to a disgruntled employee who has a “retaliatory agenda against the clinic,” the letter notes.

Those records include the names, dates of birth, diagnoses and treatment of some 16,000 patients, according to the letter.

How does this differ from a traditional hacking scheme?

This was an insider job, not a breach from outside the system.

The employee who stole the information was an authorized user, and had authorized access to the files and information.

“Under HIPAA (the Health Insurance Portability and Accountability Act), this employee’s access was authorized and she had HIPAA training. However, once she became involved with forwarding information to a 3rd party, her access was unauthorized. Therefore, the HIPAA privacy rules require that incidents be notified to you and reported to the regulatory agency, HHS (U.S. Department of Health and Human Services),” the letter notes.

This certainly highlights the difficulty of preventing and detecting breaches involving insiders.

“Unfortunately I think these incidents are much more widespread than what we see discovered and reported,” Mac McMillan, CEO of the security consulting firm CynergisTek, told the website Data Breach Today. “Users know if their organization is proactively monitoring or not.”

Is my child’s information at risk?

If you take your child to any one of the 3 clinics that Children’s Medical Clinics of East Texas operates, your child’s information could have been compromised.

But according to Children’s Medical Clinics, there’s no evidence that the employee disclosed the information to anyone else other than the 3rd party. And it’s believed that the disgruntled employee has no intent to harm patients.

Yet there’s no way to narrow down everything that was compromised, notes the letter.

What can I do?

Don’t hesitate to take advantage of the free credit monitoring services that clinic is offering to potential victims.

It’s also a good idea to take immediate action and register a fraud alert with all 3 credit bureaus.

You can closely monitor your credit score and credit report by visiting myBankrate.

Follow me on Twitter: @MitchStrohm