Insider Allegedly Steals Mental Health Data of 28,000 Patients

万通地产:募集资金存放与实际使用情况的专项报告
The alleged theft of mental health information on more than 28,000 patients in Texas, which went undetected for well over a year, is yet another reminder of the substantial risks that terminated employees can pose as well as the need to take extra steps to protect the most sensitive patient information.
See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’
The Center for Health Care Services, a provider of mental health services and substance abuse treatment based in San Antonio, Texas, is notifying 28,434 patients whose data was apparently stolen when a former employee allegedly took the information after he was fired in 2016, according to a statement issued by the center.
不要轻信中奖类信息,侥幸心理最要不得;不要登录钓鱼网站,尤其是要求填写个人信息的中奖网站;而曾经受骗的网友,应直接将该类网站曝光,提醒其他人,让更多无辜的人避免损失。
“A former employee of CHCS was discovered to have secretly taken personal health information from CHCS on his personal laptop computer at the time his employment was terminated on May 31, 2016,” the statement says. “The discovery was made on Nov. 7, 2017, as a result of documents produced in litigation between the former employee and CHCS.”
CHCS says the compromised data includes patients’ Social Security numbers, dates of birth, medical records numbers, dates of services, referral information, progress notes, types of services, diagnoses, medications, lab and toxicology reports, autopsy reports, death certificates, treatment plans and discharge and death summaries.
“CHCS does not currently believe there are any steps individuals need to take to protect themselves from potential harm resulting from the breach, but will provide further notification if the circumstances change materially,” the center’s statement says.
The clinic’s attorney declined to describe to Information Security Media Group the nature of the litigation between CHCS and the former employee or provide further information.
Insider Risks
The breach at the San Antonio clinic is the latest incident spotlighting the risks posed by fired employees and other insiders.
Last week, the Department of Health and Human Services’ Office for Civil Rights issued an alert reminding covered entities and business associates of the serious security and privacy risks that terminated employees can pose and offering advice for mitigating those risks.
Among the advice offered by OCR, as well as privacy and security experts, is for organizations to quickly end employees’ electronic and physical access to data when they leave their jobs for any reason (see Mitigating Threats Posed by Terminated Employees).
Sensitive Health Data
Some privacy and security experts say the recently revealed incident at the San Antonio clinic is also a reminder of the importance of safeguarding patient’s most sensitive health data, such as mental health, substance abuse and HIV status information.
“Healthcare organizations’ infosec programs should include data classification,” says Kate Borten, president of The Marblehead Group consultancy. “In terms of confidentiality, all PHI is confidential. But mental health and other types of PHI should be treated as highly confidential and deserving of more rigorous security controls.
“Today, we grant electronic PHI access to groups of users, such as nurses and physicians, but access to highly confidential PHI should be restricted to the patient’s specific caregivers. Unfortunately, our healthcare system vendors have not yet implemented that level of access control granularity.”
Although HIPAA does not parse PHI into different levels of sensitivity, the healthcare industry has long recognized that a breach of mental health information is very likely to be damaging to the patient, Borten says. “Furthermore, federal and state laws pile on the requirements and penalties for such breaches,” she adds.
For example, under the federal statute 42 CFR Part 2, healthcare providers participating in federally assisted substance abuse programs have additional requirements for protecting the confidentially of certain patient data. Those include, for example, special requirements for obtaining patients’ consent before information is released, plus standards for de-identification of sensitive data.
Meanwhile, in its most recent HIPAA enforcement action, OCR in May issued a hefty financial penalty in a breach case involving sensitive HIV status information of just two patients (see Big Settlement in Privacy Case Involving 2 Patients’ HIV Data).
OCR said St. Luke’s-Roosevelt Hospital Center in New York City paid $387,000 and agreed to a corrective action plan to settle a case involving “careless handling of HIV information.”
Taking Extra Precautions

Healthcare organizations need to be especially careful when handling certain extra-sensitive patient information, says Mac McMillan, CEO of security consultancy CynergisTek.
“All personal health information is important, but information concerning mental health, substance abuse and other similar types of issues can be particularly negative if exposed publicly,” he says. “But it also represents an at-risk population for higher risk of exploitation. “So it should garner greater attention.”
Entities handling this type of information should have strict policies regarding the use of personal devices, he notes. “They should employ data loss prevention tools to manage/limit data extraction,” he says. “There should be elevated or more frequent user audits to identify at-risk behaviors. The problem is getting information back is always harder than stopping it from leaving.”
社交网络成为攻击平台的最佳选择,似乎在一夜之间,全球所有用户都开始对他们在因特网上隐私的安全感到担心了。

猜您喜欢

企业信息安全一分钟快速教程
企业安全意识之歌
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
库里31+11末节伤退KD考神遭逐 勇士21分逆转鹈鹕
LIST5PM CHEATCC
向云计算迁移时应该让安全意识培训先行