The Dark Overlord made headlines earlier this year by advertising the availability of 9.2 million US hospital records on the Dark Web and selling them for 730 bitcoin, which is more than $450,000. Just a few weeks ago, Fancy Bear, a Russian cyber espionage group, exposed medical records of top olympians, revealing that they had received exemptions to use doping medications. Hackers receive a great deal of media attention because their tactics are deeply mysterious to the average person and frequently result in the exposure of thousands of records. However, one group’s activity potentially represents the biggest threat to patient data: insider snooping. These snoops are hospital employees who have access to the EHR and misuse this privileged access. They look at the medical records of colleagues, family and friends out of curiosity, for potential blackmail purposes, or a host of other reasons.

Patients most frequently interact with doctors, nurses, and allied health professionals, making it easy for them to forget about all of the other people that go into running a hospital. Among the many unseen activities that go on in healthcare, hospitals need teams managing patient data, submitting insurance billing, maintaining legal compliance in clinical trials, and ordering medical supplies, in order to properly operate. Compliance teams can work with patients to help them better understand how the healthcare organizations they visit monitor and protect their electronic protected health information (ePHI).

A new Breach Barometer Special Report: Third Party Breaches published by Databreaches.net in collaboration with Protenus highlights that more than 30 percent of patient data breaches are a direct result of third-parties. Community physicians, affiliates, and certain vendors often have extensive access to patient data in the electronic health record (EHR). This increase in the number of users who have EHR access creates a huge vulnerability for healthcare systems and a headache for compliance teams. While vendors are often long-time trusted partners, relationships that add a large number of new EHR users or provide vendor employees with access to patient data create significant patient privacy monitoring challenges.

The Protenus team was deeply honored and humbled when we received the 2016 HPE-IAPP Privacy Innovation Award for Technology. There is no greater privilege than to be recognized by your peers for making real contributions to enhancing patient privacy.

Headlines about data breaches are all too common recently, with large companies like Target and Home Depot experiencing large-scale data breaches. The healthcare industry was hit particularly hard in the past few years, with organizations like Anthem Inc. and St. Joseph Health System, to name but two, suffering massive health data breaches.