Here’s the headline:
Georgia Eye Center Discovers Insider Breach: 10,891 Patients Impacted.
That’s a headline no company wants to see in the news. A data breach that impacted over 10,000 of your patients! The kicker to the story is how the breach happened.
An employee of the Thomasville Eye Center in Thomasville, GA, was discovered accessing the protected health information of patients without authorization. PHI was stolen from the eye center and used to open credit accounts in the names of the patients.
An internal employee breached patient PHI for his own personal gain. To me, that identifies a large training gap for the employees, as well as the importance of performing background checks on every new hire.
If employees are provided with access to the protected health information of patients, there is a risk of PHI access rights being abused. While it is not possible to eradicate the risk of data theft by employees, healthcare organizations can take a number of steps to reduce risk. These include:
- Conducting background checks prior to employment being offered
- Ensuring that staff training is provided on patient privacy and the penalties for improper PHI access
- Restricting access to PHI to the minimum necessary information for work duties to be performed
- Restricting access to PHI to an individual worker’s patient case load
- Blocking the use of portable storage devices (USB ports)
- Ensuring PHI access logs are recorded and are frequently reviewed to ensure improper PHI access is identified promptly if and when it does occur