Insider-Related Breaches Spike After 4-Year Decline, Potentially Costing Hospitals Millions

As the pandemic wreaked havoc on the healthcare industry, the number of U.S. patient records breached by hospital insiders more than doubled in 2020, surpassing a staggering 8.5 million, according to the recently published Protenus Breach Barometer®. 

With the volume of insider-related incidents up after a four-year decline, the number of patient records improperly accessed by insiders also jumped — from 3.8M in 2019 to 8.5M in 2020. This new level of improper data exposure is concerning for a litany of reasons, regardless of the insider's intention. Whether improper access to patient data is gained for malicious purposes or by mistake, these kinds of violations can cost an organization significant financial penalties, reputational damage, and loss of patients to competitors. 

Download the 2021 Breach Barometer® for the latest insights on how data breaches are impacting the healthcare industry.

One concerning repercussion of insider breaches in particular — which accounted for 20 percent of the total number of breaches in 2020 — is that these incidents may directly lead to a reduction in workforce. Insiders found responsible for intentional or reckless compliance breaches can, and many times do, lose their jobs. 

'You're fired'

A single New York City-based medical center has already terminated two employees so far in 2021 for inappropriate access to patient records. The more recently fired employee was found to have accessed patient records in violation of the system's code of conduct for over a year, between January 2020 and February 2021. The previous incident, which involved a different employee, stretched from June to November 2020, compromising patient information including first and last names, medical record numbers, addresses, birth dates, and partial Social Security numbers, and potentially some clinical information. 

The New York medical center that was affected by these two incidents may be more publicly transparent than others about its challenges, but it is far from alone in combating insider snooping, as evidenced by data in the 2021 Breach Barometer as well as by several cautionary tales from recent years. In 2017, a South Carolina organization fired 13 employees for viewing patient records without authorization. In 2019, 50 staff members were fired from a Chicago hospital for inappropriately accessing a well-known actor's medical records.  

The prospect of having to fire any employee over a data breach — not to mention dozens — is alarming given the strain placed on healthcare teams and employment levels already. After rounds of layoffs and furloughs early in the pandemic due to revenue-halting elective procedure shutdowns, the last thing hospitals need is more turnover or workflow upheaval. There are already a limited number of individuals protecting patient privacy and organizational compliance, all in the face of continuously mounting risks. 

The human factor

At the end of the day, termination is a quick fix — nothing more. It does not address the range of risks and challenges compliance teams face throughout the course of their work, which now notably include employee temptation to snoop on COVID-19 diagnoses and vaccination records. With such highly sought-after information just clicks away, curiosity is a real challenge to contend with, as is another human tendency: making mistakes. 

The fact that it's not hard to inappropriately access information may have contributed to the Breach Barometer's finding that in 2020, the number of insider incidents involving human error was more than double the number of insider incidents involving wrongdoing. Error was the root cause for the breach of nearly 7.7 million patient records, compared to 241,128 records reportedly compromised by insider-wrongdoing. 

Given the exacerbating circumstances healthcare workers endured, it's not hard to understand why mistakes were common last year. While honest, one-off mistakes don't necessarily escalate to grounds for termination, they are still cause for great concern when they violate patient privacy and compliance rules.

Addressing insider concerns

Financial penalties, reputational damage, revenue loss, and workforce reductions are all worrisome yet avoidable consequences of patient data breaches of any kind, including insider-related incidents that spiked in 2020. Fortunately, healthcare compliance analytics solutions are helping compliance teams cut through the noise to focus on only EHR interactions that really warrant human intervention. 

Rather than manually reviewing what amounts to a small fraction of auditable events, compliance teams can use truly advanced analytics built on AI and automation to swiftly detect and investigate all possible incidents. With this powerful technology at their fingertips, compliance professionals can confidently make headway in their efforts to protect patient data, no matter who wants to breach it or why. 

Download the 2021 Protenus Breach Barometer® to better understand how data breaches are affecting healthcare during the global pandemic.