SOURCE: LockPath, Inc.

LockPath, Inc.

July 21, 2015 00:00 ET

Why Unauthorized Employee Access Is a Major Insider Threat

OVERLAND PARK, KS--(Marketwired - July 21, 2015) - Multiple cases and studies show that employee negligence, or "human error", is one of the most common causes of data breaches. But what happens when the insider threat is intentional? How can health care organizations learn from a disgruntled employee accessing PHI outside his or her job duties and what steps can be taken to curb medical identity fraud?

Last April, UMass Memorial Medical Group suffered a data breach affecting up to 14,000 patients. UMass Memorial said the breach was caused by a now former employee accessing patient billing records outside of her normal job responsibilities over a five-month period. Information accessed included patients' names, addresses, dates of birth, medical records, Social Security numbers and credit/debit card numbers. Although the investigation is ongoing, it was thought that the former employee accessed the records for tax fraud purposes.

In February, the Philadelphia Fire Department was notified that a man in Opa-Locka, Florida was arrested with a sheet of paper containing personal information of patients who rode in a Philadelphia ambulance during a seven-month period in 2012. The sensitive information was leaked by an employee of Intermedix, a company in Fort Lauderdale, Florida that handles billing services for ambulance agencies. Philadelphia Fire Commissioner Derrick Sawyer announced that the employee handed over the information to use in a tax-return fraud scheme. The breach is still under investigation but the department has determined that approximately 750 Philadelphia patients were affected. It is still unknown whether the information was used to file false tax returns.

The common theme in these and other cases involving unauthorized access is that too many individuals have access to personal health information. It may seem unrealistic to ask health care organizations to limit the number of employees with access when so many of them must use the information daily to carry out normal job duties. So how can hospitals and other health care companies curb medical identity fraud?

Here are some recommendations:

  • Educate patients on medical identity theft. Encourage patients to check statements and records for suspicious activity. Many fraud cases go undetected for long periods of time due to the lack of attention patients pay to their records. Health care organizations should make it convenient for patients to access their statements as well.
  • Continually train staff. Educate staff members on how and when PHI should be accessed. Ensure they understand the severity of the consequences should they go outside of their job responsibilities when accessing information. Regular assessments are encouraged to ensure comprehension of policies and procedures.
  • Have an anonymous whistleblower system. Employees who think they have witnessed fraudulent activity should have a way to report the incident anonymously, whether through a hotline or as part of your risk and compliance program. LockPath's Anonymous Incident Portal is a web-based service that allows employees to securely and anonymously report workplace incidents and violations including accounting or financial issues, human resources violations, privacy issues, ethics violations and workplace safety.
  • Identify red flags. Staff members should be trained on how to identify red flags that could signal fraud during patient interactions and while processing paperwork. This could include tests being ordered that are inconsistent with patient history, information collected during a patient visit that doesn't match their file, etc.

About LockPath
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas.

Image Available:

Contact Information