SSM Health employee breached up to 29,000 patients’ records

SSM Health, a non-profit health care provider, has informed 29,000 patients that their data may have been breached after a former call center employee improperly accessed medical records.

In a statement released on December 29, 2017, SSM Health said the employee accessed protected health information of patients across several states, including demographic and other types of clinical information, which constitutes a violation of the Health Insurance Portability and Accountability Act (HIPAA). No financial information was accessed, SSM Health says.

The breach occurred between February 13 and October 20, 2017.

An investigation has revealed that the perpetrator of the breach sought out patients in the St. Louis area with a controlled substance prescription and a primary care physician.

A constant problem

SSM Health learned of the breach on October 30 and launched an immediate investigation. It is working with the Office for Civil Rights and local law enforcement to better understand the breach and to make necessary changes to protect patient records.

Breaches in the health care system are a constant problem, particularly those caused by insiders. Many employees need to be given access to sensitive information to do their job, and there are many reasons they may choose to misappropriate it. Financial gain is one of the most common motives – with criminals selling the information on the dark web – but malicious insiders might also access data out of curiosity, perhaps looking for the records of celebrity patients or people they know.

It’s hard to prevent insider incidents, because almost any employee is a potential threat. Even if you can spot an employee who you suspect is a security liability, it’s difficult to stop them breaching information if they have a legitimate reason to access databases and records. However, organizations can mitigate the threat by putting in place access controls to limit the amount of information any one employee can view.

Organizations might also wish to put in place policies restricting the use of removable devices. This will make it harder for employees to copy information without leaving a trace (in a way that emailing information would).

Policies such as this should be formalized in an organization’s business continuity management system (BCMS). A BCMS is a comprehensive approach to organizational resilience. It helps organizations to update, control, and deploy effective plans, taking into account organizational contingencies, capabilities, and business needs.

Essential guidance to prevent business continuity disasters

For examples of business continuity in practice, you should read our January book of the month, In Hindsight – A compendium of Business Continuity case studies.

This guide analyzes the factors that contributed to some of the biggest disasters from the past 30 years, including the Toyota vehicle recall and Hurricane Katrina. It reveals the common themes that contributed to these incidents and proposes measures that could have minimized the risks and consequences.

Save 10% when you buy before the end of January >>

Essential guidance on preventing business continuity disasters. Save 10% in January >>

Leave a Reply

Your email address will not be published. Required fields are marked *