Article Type
Changed
Wed, 08/02/2023 - 11:01

A Washington state hospital will pay the government $240,000 to resolve a data privacy investigation after nearly two dozen security guards were caught snooping through medical records without a job-related purpose.

Yakima Valley Memorial Hospital agreed to the voluntary settlement after an investigation into the actions of 23 emergency department security guards who allegedly used their login credentials to access the patient medical records of 419 patients.

The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information, according to a release by the U.S .Department of Health & Human Services’ Office for Civil Rights (OCR). A breach notification report alerted OCR to the snooping.

As part of the agreement, OCR will monitor Yakima Valley Memorial Hospital for 2 years and the hospital must conduct a thorough risk analysis as well as develop a risk management plan to address and mitigate identified security risks and vulnerabilities. The settlement is not considered an admission of guilt by the hospital.
 

Is such snooping common?

The incident highlights the frequent practice of employees snooping through medical records and the steep consequences that can result for providers, said Paul Redding, vice president of partner engagement and cybersecurity at Compliancy Group, a company that offers guided HIPAA compliance software for healthcare providers and vendors.

“I think the problem is absolutely growing,” he said. “What’s crazy about this case is it’s actually a really small HIPAA violation. Less than 500 people were affected, and the hospital still must pay a quarter-of-a-million-dollar settlement. If you take the average HIPAA violation, which is in the thousands and thousands of [patients], this amount would be magnified many times over.”

In general, employees snoop through records out of curiosity or to find out information about people they know – or want to learn about, said J. David Sims, a cybersecurity expert and CEO of Security First IT, a company that provides cybersecurity solutions and IT support to health care businesses.

Mr. Sims says he has heard of cases where health professionals snooped through records to find information about the new love interests of ex-partners or to learn about people on dating websites whom they’re interested in dating.

“Most of the time, it’s people being nosy,” he said. “In a lot of cases, it’s curiosity about famous people. You see it a lot in areas where you have football players who come in with injuries or you have an actor or actress who come in for something.”

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the health care industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” OCR director Melanie Fontes Rainer said in a June statement. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

Yakima Valley Memorial Hospital did not return a message seeking comment.

According to OCR’s latest report to Congress, complaints about HIPAA violations increased by 39% between 2017 and 2021. Breaches affecting fewer than 500 individuals rose by 5% during the same time period, and breaches impacting 500 or more individuals increased by 58%.
 

 

 

Common reasons employees snoop

The OCR announcement does not specify why the 23 security guards were accessing the medical records, but the incident raises questions about why the security guards had access to protected health information (PHI) in the first place, Mr. Redding said.

“I have yet to have anyone explain to me why the security guards would have access to PHI at all, at any level,” he said. “Was it by design or was it by error?”

In 2019 for instance, dozens of employees at Northwestern Memorial Hospital in Chicago were fired for accessing the health records of former Empire actor Jussie Smollett. In another high-profile case, nearly a dozen emergency medical service employees were caught snooping through 911 records connected to the treatment and, later, death of Joan Rivers.

“Sadly, there is a lack of education around what compliance really means inside the medical industry as a whole,” Mr. Redding said. “There is a lack of employee training and a lack of emphasis on accountability for employees.”
 

Privacy breaches fuel lawsuits

Health professionals caught snooping through records are frequently terminated and employers can face a range of ramifications, including civil and criminal penalties.

A growing trend is class action lawsuits associated with privacy violations, Mr. Redding adds.

Because patients are unable to sue in civil court for HIPAA breaches, they frequently sue for “breach of an implied contract,” he explained. In such cases, patients allege that the privacy documents they signed with health care providers established an implied contract, and their records being exposed constituted a contract breach.

“Class action lawsuits are starting to become extremely common,” Mr. Redding said. “It’s happening in many cases, even sometimes before Health & Human Services issue a fine, that [providers] are being wrapped into a class action lawsuit.”

Mayo Clinic, for example, was recently slapped with a class action suit after a former employee inappropriately accessed the records of 1,600 patients. Mayo settled the suit in January 2023, the terms of which were not publicly disclosed.

Multiple patients also filed a class action suit against San Diego–based Scripps Health after its data were hit with a cyberattack and subsequent breach that impacted close to 2 million people. Scripps reached a $3.5 million settlement with the plaintiffs in 2023.

Some practices and employers may also face state penalties for data privacy breaches, depending on their jurisdiction. In July, Connecticut became the fifth state to enact a comprehensive data privacy law. The measure, which creates a robust framework for protecting health-related records and other data, includes civil penalties of up to $5,000 for violations. Other states, including California, Virginia, Utah, and Colorado, also have state data privacy laws on the books.
 

How can practices stop snooping?

A first step to preventing snooping is conducting a thorough risk assessment, said David Harlow, a health care attorney and chief compliance and privacy officer for Insulet Corporation, a medical device company. The analysis should address who has access to what data and whether they really need such access, he said.

“Then it’s putting in place the proper controls to ensure access is limited and use is limited to the appropriate individuals and circumstances,” Mr. Harlow said.

Regulators don’t expect a giant academic medical center and a small private physician practice to take an identical HIPAA compliance approach, he stressed. The ideal approach will vary by entity. Providers just need to address the standards in a way that makes sense for their operation, he said.

Training is also a critical component, adds Mr. Sims.

“Having training is key,” he said. “Oftentimes, an employee might think, ‘Well, if I can click on this data and it comes up, obviously, I can look at it.’ They need to understand what information they are and are not allowed to access.”

Keep in mind that settings or controls might change when larger transitions take place, such as moving to a new electronic health record system, Mr. Sims said. It’s essential to reevaluate controls when changes in the practice take place to ensure that everything is functioning correctly.

Mr. Sims also suggests that practices create a type of “If you see something, say something,” policy that encourages fellow physicians and employees to report anything that looks suspicious within electronic logs. If an employee, for instance, is suddenly looking at many more records than usual or at odd times of the day or night, this should raise red flags.

“It’s great to stop it early so that it doesn’t become a bigger issue for the practice to deal with, but also, from a legal standpoint, you want to have a defensible argument that you were doing all you could to stop this as quickly as possible,” he said. “It puts you in a better position to defend yourself.”

The snooping security guards case holds an important lesson for all health providers, Mr. Harlow said.

“This is a message to all of us, that you need to have done the assessment up front,” he said. You need to have the right controls in place up front. This is not a situation where somebody managed to hack into a system for some devious means. This is someone who was given keys. Why were they given the keys?”

A version of this article first appeared on Medscape.com.

Publications
Topics
Sections

A Washington state hospital will pay the government $240,000 to resolve a data privacy investigation after nearly two dozen security guards were caught snooping through medical records without a job-related purpose.

Yakima Valley Memorial Hospital agreed to the voluntary settlement after an investigation into the actions of 23 emergency department security guards who allegedly used their login credentials to access the patient medical records of 419 patients.

The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information, according to a release by the U.S .Department of Health & Human Services’ Office for Civil Rights (OCR). A breach notification report alerted OCR to the snooping.

As part of the agreement, OCR will monitor Yakima Valley Memorial Hospital for 2 years and the hospital must conduct a thorough risk analysis as well as develop a risk management plan to address and mitigate identified security risks and vulnerabilities. The settlement is not considered an admission of guilt by the hospital.
 

Is such snooping common?

The incident highlights the frequent practice of employees snooping through medical records and the steep consequences that can result for providers, said Paul Redding, vice president of partner engagement and cybersecurity at Compliancy Group, a company that offers guided HIPAA compliance software for healthcare providers and vendors.

“I think the problem is absolutely growing,” he said. “What’s crazy about this case is it’s actually a really small HIPAA violation. Less than 500 people were affected, and the hospital still must pay a quarter-of-a-million-dollar settlement. If you take the average HIPAA violation, which is in the thousands and thousands of [patients], this amount would be magnified many times over.”

In general, employees snoop through records out of curiosity or to find out information about people they know – or want to learn about, said J. David Sims, a cybersecurity expert and CEO of Security First IT, a company that provides cybersecurity solutions and IT support to health care businesses.

Mr. Sims says he has heard of cases where health professionals snooped through records to find information about the new love interests of ex-partners or to learn about people on dating websites whom they’re interested in dating.

“Most of the time, it’s people being nosy,” he said. “In a lot of cases, it’s curiosity about famous people. You see it a lot in areas where you have football players who come in with injuries or you have an actor or actress who come in for something.”

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the health care industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” OCR director Melanie Fontes Rainer said in a June statement. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

Yakima Valley Memorial Hospital did not return a message seeking comment.

According to OCR’s latest report to Congress, complaints about HIPAA violations increased by 39% between 2017 and 2021. Breaches affecting fewer than 500 individuals rose by 5% during the same time period, and breaches impacting 500 or more individuals increased by 58%.
 

 

 

Common reasons employees snoop

The OCR announcement does not specify why the 23 security guards were accessing the medical records, but the incident raises questions about why the security guards had access to protected health information (PHI) in the first place, Mr. Redding said.

“I have yet to have anyone explain to me why the security guards would have access to PHI at all, at any level,” he said. “Was it by design or was it by error?”

In 2019 for instance, dozens of employees at Northwestern Memorial Hospital in Chicago were fired for accessing the health records of former Empire actor Jussie Smollett. In another high-profile case, nearly a dozen emergency medical service employees were caught snooping through 911 records connected to the treatment and, later, death of Joan Rivers.

“Sadly, there is a lack of education around what compliance really means inside the medical industry as a whole,” Mr. Redding said. “There is a lack of employee training and a lack of emphasis on accountability for employees.”
 

Privacy breaches fuel lawsuits

Health professionals caught snooping through records are frequently terminated and employers can face a range of ramifications, including civil and criminal penalties.

A growing trend is class action lawsuits associated with privacy violations, Mr. Redding adds.

Because patients are unable to sue in civil court for HIPAA breaches, they frequently sue for “breach of an implied contract,” he explained. In such cases, patients allege that the privacy documents they signed with health care providers established an implied contract, and their records being exposed constituted a contract breach.

“Class action lawsuits are starting to become extremely common,” Mr. Redding said. “It’s happening in many cases, even sometimes before Health & Human Services issue a fine, that [providers] are being wrapped into a class action lawsuit.”

Mayo Clinic, for example, was recently slapped with a class action suit after a former employee inappropriately accessed the records of 1,600 patients. Mayo settled the suit in January 2023, the terms of which were not publicly disclosed.

Multiple patients also filed a class action suit against San Diego–based Scripps Health after its data were hit with a cyberattack and subsequent breach that impacted close to 2 million people. Scripps reached a $3.5 million settlement with the plaintiffs in 2023.

Some practices and employers may also face state penalties for data privacy breaches, depending on their jurisdiction. In July, Connecticut became the fifth state to enact a comprehensive data privacy law. The measure, which creates a robust framework for protecting health-related records and other data, includes civil penalties of up to $5,000 for violations. Other states, including California, Virginia, Utah, and Colorado, also have state data privacy laws on the books.
 

How can practices stop snooping?

A first step to preventing snooping is conducting a thorough risk assessment, said David Harlow, a health care attorney and chief compliance and privacy officer for Insulet Corporation, a medical device company. The analysis should address who has access to what data and whether they really need such access, he said.

“Then it’s putting in place the proper controls to ensure access is limited and use is limited to the appropriate individuals and circumstances,” Mr. Harlow said.

Regulators don’t expect a giant academic medical center and a small private physician practice to take an identical HIPAA compliance approach, he stressed. The ideal approach will vary by entity. Providers just need to address the standards in a way that makes sense for their operation, he said.

Training is also a critical component, adds Mr. Sims.

“Having training is key,” he said. “Oftentimes, an employee might think, ‘Well, if I can click on this data and it comes up, obviously, I can look at it.’ They need to understand what information they are and are not allowed to access.”

Keep in mind that settings or controls might change when larger transitions take place, such as moving to a new electronic health record system, Mr. Sims said. It’s essential to reevaluate controls when changes in the practice take place to ensure that everything is functioning correctly.

Mr. Sims also suggests that practices create a type of “If you see something, say something,” policy that encourages fellow physicians and employees to report anything that looks suspicious within electronic logs. If an employee, for instance, is suddenly looking at many more records than usual or at odd times of the day or night, this should raise red flags.

“It’s great to stop it early so that it doesn’t become a bigger issue for the practice to deal with, but also, from a legal standpoint, you want to have a defensible argument that you were doing all you could to stop this as quickly as possible,” he said. “It puts you in a better position to defend yourself.”

The snooping security guards case holds an important lesson for all health providers, Mr. Harlow said.

“This is a message to all of us, that you need to have done the assessment up front,” he said. You need to have the right controls in place up front. This is not a situation where somebody managed to hack into a system for some devious means. This is someone who was given keys. Why were they given the keys?”

A version of this article first appeared on Medscape.com.

A Washington state hospital will pay the government $240,000 to resolve a data privacy investigation after nearly two dozen security guards were caught snooping through medical records without a job-related purpose.

Yakima Valley Memorial Hospital agreed to the voluntary settlement after an investigation into the actions of 23 emergency department security guards who allegedly used their login credentials to access the patient medical records of 419 patients.

The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information, according to a release by the U.S .Department of Health & Human Services’ Office for Civil Rights (OCR). A breach notification report alerted OCR to the snooping.

As part of the agreement, OCR will monitor Yakima Valley Memorial Hospital for 2 years and the hospital must conduct a thorough risk analysis as well as develop a risk management plan to address and mitigate identified security risks and vulnerabilities. The settlement is not considered an admission of guilt by the hospital.
 

Is such snooping common?

The incident highlights the frequent practice of employees snooping through medical records and the steep consequences that can result for providers, said Paul Redding, vice president of partner engagement and cybersecurity at Compliancy Group, a company that offers guided HIPAA compliance software for healthcare providers and vendors.

“I think the problem is absolutely growing,” he said. “What’s crazy about this case is it’s actually a really small HIPAA violation. Less than 500 people were affected, and the hospital still must pay a quarter-of-a-million-dollar settlement. If you take the average HIPAA violation, which is in the thousands and thousands of [patients], this amount would be magnified many times over.”

In general, employees snoop through records out of curiosity or to find out information about people they know – or want to learn about, said J. David Sims, a cybersecurity expert and CEO of Security First IT, a company that provides cybersecurity solutions and IT support to health care businesses.

Mr. Sims says he has heard of cases where health professionals snooped through records to find information about the new love interests of ex-partners or to learn about people on dating websites whom they’re interested in dating.

“Most of the time, it’s people being nosy,” he said. “In a lot of cases, it’s curiosity about famous people. You see it a lot in areas where you have football players who come in with injuries or you have an actor or actress who come in for something.”

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the health care industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” OCR director Melanie Fontes Rainer said in a June statement. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

Yakima Valley Memorial Hospital did not return a message seeking comment.

According to OCR’s latest report to Congress, complaints about HIPAA violations increased by 39% between 2017 and 2021. Breaches affecting fewer than 500 individuals rose by 5% during the same time period, and breaches impacting 500 or more individuals increased by 58%.
 

 

 

Common reasons employees snoop

The OCR announcement does not specify why the 23 security guards were accessing the medical records, but the incident raises questions about why the security guards had access to protected health information (PHI) in the first place, Mr. Redding said.

“I have yet to have anyone explain to me why the security guards would have access to PHI at all, at any level,” he said. “Was it by design or was it by error?”

In 2019 for instance, dozens of employees at Northwestern Memorial Hospital in Chicago were fired for accessing the health records of former Empire actor Jussie Smollett. In another high-profile case, nearly a dozen emergency medical service employees were caught snooping through 911 records connected to the treatment and, later, death of Joan Rivers.

“Sadly, there is a lack of education around what compliance really means inside the medical industry as a whole,” Mr. Redding said. “There is a lack of employee training and a lack of emphasis on accountability for employees.”
 

Privacy breaches fuel lawsuits

Health professionals caught snooping through records are frequently terminated and employers can face a range of ramifications, including civil and criminal penalties.

A growing trend is class action lawsuits associated with privacy violations, Mr. Redding adds.

Because patients are unable to sue in civil court for HIPAA breaches, they frequently sue for “breach of an implied contract,” he explained. In such cases, patients allege that the privacy documents they signed with health care providers established an implied contract, and their records being exposed constituted a contract breach.

“Class action lawsuits are starting to become extremely common,” Mr. Redding said. “It’s happening in many cases, even sometimes before Health & Human Services issue a fine, that [providers] are being wrapped into a class action lawsuit.”

Mayo Clinic, for example, was recently slapped with a class action suit after a former employee inappropriately accessed the records of 1,600 patients. Mayo settled the suit in January 2023, the terms of which were not publicly disclosed.

Multiple patients also filed a class action suit against San Diego–based Scripps Health after its data were hit with a cyberattack and subsequent breach that impacted close to 2 million people. Scripps reached a $3.5 million settlement with the plaintiffs in 2023.

Some practices and employers may also face state penalties for data privacy breaches, depending on their jurisdiction. In July, Connecticut became the fifth state to enact a comprehensive data privacy law. The measure, which creates a robust framework for protecting health-related records and other data, includes civil penalties of up to $5,000 for violations. Other states, including California, Virginia, Utah, and Colorado, also have state data privacy laws on the books.
 

How can practices stop snooping?

A first step to preventing snooping is conducting a thorough risk assessment, said David Harlow, a health care attorney and chief compliance and privacy officer for Insulet Corporation, a medical device company. The analysis should address who has access to what data and whether they really need such access, he said.

“Then it’s putting in place the proper controls to ensure access is limited and use is limited to the appropriate individuals and circumstances,” Mr. Harlow said.

Regulators don’t expect a giant academic medical center and a small private physician practice to take an identical HIPAA compliance approach, he stressed. The ideal approach will vary by entity. Providers just need to address the standards in a way that makes sense for their operation, he said.

Training is also a critical component, adds Mr. Sims.

“Having training is key,” he said. “Oftentimes, an employee might think, ‘Well, if I can click on this data and it comes up, obviously, I can look at it.’ They need to understand what information they are and are not allowed to access.”

Keep in mind that settings or controls might change when larger transitions take place, such as moving to a new electronic health record system, Mr. Sims said. It’s essential to reevaluate controls when changes in the practice take place to ensure that everything is functioning correctly.

Mr. Sims also suggests that practices create a type of “If you see something, say something,” policy that encourages fellow physicians and employees to report anything that looks suspicious within electronic logs. If an employee, for instance, is suddenly looking at many more records than usual or at odd times of the day or night, this should raise red flags.

“It’s great to stop it early so that it doesn’t become a bigger issue for the practice to deal with, but also, from a legal standpoint, you want to have a defensible argument that you were doing all you could to stop this as quickly as possible,” he said. “It puts you in a better position to defend yourself.”

The snooping security guards case holds an important lesson for all health providers, Mr. Harlow said.

“This is a message to all of us, that you need to have done the assessment up front,” he said. You need to have the right controls in place up front. This is not a situation where somebody managed to hack into a system for some devious means. This is someone who was given keys. Why were they given the keys?”

A version of this article first appeared on Medscape.com.

Publications
Publications
Topics
Article Type
Sections
Disallow All Ads
Content Gating
No Gating (article Unlocked/Free)
Alternative CME
Disqus Comments
Default
Use ProPublica
Hide sidebar & use full width
render the right sidebar.
Conference Recap Checkbox
Not Conference Recap
Clinical Edge
Display the Slideshow in this Article
Medscape Article
Display survey writer
Reuters content
Disable Inline Native ads
WebMD Article