Healthcare breach undetected for 14 years

It has been revealed that a data breach dating back 14 years was discovered after a former patient of state-owned Tewksbury Hospital, Massachusetts, sent in a complaint that triggered an investigation.

The investigation revealed that “one hospital employee appeared to have accessed the former patient’s records without a good reason to do so.”

The review discovered that the same employee had also accessed a number of other current and former patients’ records inappropriately. The information included names, addresses, dates of birth, telephone numbers, and medical details, and affected around 1,100 people who were patients of the hospital between 2003 and May 2017.

A statement from Massachusetts Department of Health and Human Services said:

The individual responsible for this incident is no longer employed by Tewksbury Hospital and no longer has access to the Tewksbury Hospital electronic medical records system.

It continued:

To reduce the chance of future incidents like this occurring, we are reviewing our policies regarding access to the electronic medical records system. We are also reassessing how we review our workforce members’ use of the electronic medical records system, and we will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.

A Protenus report stated that “the longevity of this type of insider breach of patient data is extremely worrisome.” The report also said “this is a prime example of why healthcare needs to be much more proactive in detecting inappropriate access to patient information.”

Although this is an example of a deliberate misuse and not human error, it shows the importance of training staff effectively to ensure that they know how to treat confidential information.

Educate your staff

Information security is critical within the business environment. Enroll your staff on our Information Security Staff Awareness E-learning Course so that they gain a better understanding of what is expected of them. The course advises staff on how to avoid becoming a security liability, introducing them to your internal policies on incident reporting and responses. Your staff are on the frontline: give them the awareness training they need.

Reduce your security risk exposure with information security staff awareness training >>

Protect your company

It is vital that organizations have the right security controls in place to prevent incidents like this. Lack of user access management could allow unauthorized staff to access highly sensitive customer information, which could then result in a data breach.

IT Governance offers a range of cybersecurity solutions. For more information, read our Cyber Testing Playbook >>