Protecting and Building Patient Trust

Which would you be more concerned about: someone hacking Facebook and accessing your account or an employee at a hospital where you were treated for a sexually transmitted disease reading and copying your medical records? Both might cause concern, but if you lose trust in your healthcare provider to keep your information confidential, will you be quick to seek treatment from them again? 

Since 2016, Protenus has kept track of instances of insider wrongdoing involving medical or health data that have been reported to the U.S. Department of Health and Human Services (HHS), state regulators, or the media. Our annual Breach Barometer reports include insider wrongdoing as a category, where the wrongdoing might involve snooping on records, theft of data by an employee, collaboration between an employee and external threat actors, and other types of bad behavior by employees or employees of third-party vendors or contractors that compromise patient medical confidentiality or privacy. 

Unfortunately, available reports of insider wrongdoing are likely to significantly underestimate the true scope of such problems because:

1. Some entities will report an incident as an internal incident but not provide details that would enable determination of whether it was insider error or willful insider wrongdoing; 
2. HHS allows covered entities to report incidents as “unauthorized access/disclosure,” which could mean accidental error or intentional wrongdoing and we will not know without further details; and
3. When talking with trusted journalists, some threat actors will claim that they have gained access to certain entities by bribing employees to provide their login credentials or to engage in other behaviors that enable criminal activity. The victim entity may never discover their employee’s perfidy.

Protenus has continued to track insider wrongdoing incidents reported in 2024.  Here are just a few of the examples we have uncovered so far through public reporting: 

Former Employees Take Records

According to the Office of the Vermont Attorney General, North County Hospital sent a notice of a data breach to consumers. The letter stated, “On February 20, 2024, an employee of the North Country Hospital ("NCH") ended their employment with NCH. They may have left NCH grounds with records that were in their physical possession. Those records would have been duplicates (for quality review purposes). We do not know for certain whose records would have been included, but we know that they potentially may have included your records. For that reason, we feel it important to notify you. We have attempted to investigate this potential unauthorized removal of the records and prevent any potential harm to you. This includes attempts to contact the former employee to ascertain what occurred. This has not provided us with the clarity we would need to know with certainty what happened with the records in question.”

Employee Solicitation Turns Malicious

A now-former employee has pleaded guilty in a 2023 data breach at Jordan Valley Community Health Center in Missouri. A media report explains:

The former employee, Chante Falcon, accessed patient records from more than 2,500 individuals who identified as Native American. Afterward, she shared the details with a pair of individuals who reached out to patients via unsolicited calls, presenting complimentary services provided by the Southwest Missouri Indian Center. According to the publication, the former employee also obtained sensitive health data from one individual and shared it with others with malicious intent.

The health center’s notification attempted to reassure those affected:

“Fortunately, all printed and digital material taken from Jordan Valley was retrieved and destroyed. Affidavits were obtained in the attempt to ensure no other copies of information existed. Consistent with our core values and ongoing efforts to improve the quality of patient care and convenience, we have further limited access to information without a business need so this does not happen again."

Hidden Access

On February 16, 2024, McKenzie County Healthcare System, Inc. d/b/a McKenzie Health (“McKenzie Health”) filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after discovering that an unauthorized party was able to access an employee’s email account. In this notice, McKenzie Health explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, addresses, medical information, and health insurance information.

Protecting and Building Trust

At the beginning of this post, we asked whether you would be quick to seek treatment from a healthcare provider if they broke your trust by failing to keep your information confidential. Whether  insider wrongdoing impacts many patient records or one, the results can be devastating. To make matters worse, insider wrongdoing incidents are often more difficult to discover or control than incidents like massive hacks.  Can your organization quickly detect any inappropriate insider access to data? Do you have the tools and resources to do that?    

Healthcare organizations seeking to build trust and protect their patients’ privacy and their institution’s reputation must take action. Leading healthcare organizations have selected Protenus Patient Privacy Monitoring to:

• Monitor up to 100% of system accesses
• Accurately identify the most suspicious accesses for investigation 
• Perform efficient investigations by viewing data from a single-pane-of glass
• Shorten incident investigation time 
• Drive accuracy rates and decrease false positives
• Provide insight into organizational policy adherence for key stakeholders
• Build patient trust with proactive methods to protect their privacy

Don’t risk your organization’s reputation, regulatory enforcement action, and potential class action lawsuits: take action now to reduce insider wrongdoing incidents.