1,000 Government Employees Disciplined for Unauthorized Access to Citizens' Private Data

Over 1,000 government employees have been disciplined for ’snooping’ on private citizens’ medical and social security data for over 2 years in UK government's applications and databases.

All of these employees had been given authorized access to the sensitive personal data only after passing a lengthy vetting process. But they went beyond the boundaries of their job and made “unauthorised disclosures of official, sensitive, private and/or personal information”.

"Just about anyone with access to a wealth of personally identifiable information has the opportunity to make a lot of money selling that data on the black markets."

Extremely sensitive medical and personal data at both the UK’s Department for Work and Pensions and The Department for Health were the targets of the unauthorized access.

The information was brought to light via a Freedom of Information request Channel 4’s investigative series, Dispatches

The UK Data Protection Act makes it a crime to obtain or disclose personal data without permission or procure disclosure to other persons. The penalties for a criminal offense are unlimited fine in a higher Crown court and limited to £5,000 ($7,900) in a lower magistrates court.

Download a white paper on privacy breach detection. Learn how to proactively identify unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) UK government staff caught snooping on citizen data - zDNet, May 17, 2012
(a) UK government breached from the inside, 1,000+ workers disciplined - VentureBeat, May 18, 2012

Share

Tax Refunds Fraud Used Stolen Medical Records

Criminals stole tax refunds by filing false tax returns using information stolen from medical records at a Houston area hospital.

The hospital confirmed an employee had inappropriately accessed 741 patients' medical records. The employee was subsequently terminated for unrelated reasons and the hospital did not know about his violation of patient privacy until notified by the police.

"At the time of the employee’s termination, it was unknown by [the] Hospital that the employee had engaged in the unauthorized release of patients’ protected information. The hospital was alerted about this occurrence by the police authority."
- Hospital Chief Compliance Officer

The employee was an intake coordinator who misused her legitimate access to patients’ personal information inappropriately between March 15 to Aug. 18, 2011. The hospital only learned of the medical data theft 7 months later in April, 2012.

The type of information in the possession of the former employee includes forms with personal information such as name, address, date of birth and social security number along with insurance information.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) PI Breach - IntraCare North Hospital website
(b) Houston-area hospital warns patients about privacy breach - Houston Chronicle, May 8, 2012

Share

Identity Thief Uses Hospital Patients' Data to Pay Bills

A hospital employee was charged with identity theft for paying her bills with data stolen from hospital patients. The Chicago resident is charged with 1 charge each of aggravated identity theft and identity theft and faces up to 7 years in prison.

Police say that all victims had been patients at the hospital and that the suspect had opened electric, gas or telephone service in the victim's names. The employee had been with the hospital for 4 years when municipal utility officials reported “suspicious credit card activity” involving her water bill payments.

"An employee of a Chicago hospital has been charged with using the personal information of patients, some of them being treated for cancer, to pay personal bills." - Office of Cook County State’s Attorney Anita Alvarez

Working with the credit card company the police determined that the credit cards transactions had originated at her home or a laboratory at the Chicago hospital. The resulting search of the suspects home yielded credit card numbers, Social Security numbers, and birth dates of more than 50 patients.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Hospital Employee Charged With Theft Of Patients' Personal Information - Cook County State's Attorney's Office, May 14, 2012
(b) Northwestern Memorial employee charged with theft of patients' identities - Chicago Tribune, May 15, 2012
(b) Northwestern hospital worker charged with stealing patients’ identities - Chicago Sun Times, May 15, 2012

Share

Rogue Employee Violates Patient Data Privacy at New York Hospital

A hospital employee violated patient privacy by inappropriately looking at their medical records while they were at Kingston, New York medical facilities.

The hospitals would not reveal how many patients had their medical privacy violated by the employee.

"We take privacy and security of your personal medical information very seriously, and we apologize this situation. We will continue to maintain a high level of vigilance over our patients’ personal information." - notification letter from hospital

Information that could have been accessed included patients’ names, Social Security numbers, dates of birth, addresses, phone numbers, account information, health insurance information, credit card information, lab test results and diagnoses.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Privacy of medical records compromised at Kingston and Benedictine hospitals, health center in Rhinebeck - Daily Freeman, April 20, 2012

Share

7 Fired for Violating of Medical Privacy of Overweight Patients

7 hospital employees were fired for looking at the medical records of patients not under their care. The 7 succumbed to their curiosity about a severely overweight patient.

Unfortunately the patient was so disturbed by this violation of her privacy that she is now reluctant to seek treatment at the hospital. The hospital's vice-president publicly condemned the employees' behavior and says such abuses are rare.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.

Sources:
(a) Seven fired after privacy breach at Peterborough, Ont., hospital - Winnipeg Freepress, May 5, 2012

Share

Gillette Children’s Specialty Healthcare Receives Donation of Patient Privacy Breach Detection Service from Veriphyr

Veriphyr, a leading provider of identity and access intelligence (IAI), today announced that it has donated its patient privacy breach detection service to Gillette Children’s Specialty Healthcare in partnership with Children’s Miracle Network Hospitals (CMNH). The Veriphyr service protects patients’ personal health information (PHI) by detecting inappropriate access by hospital employees and other insiders. Veriphyr applies “big data” analytics to identify potential privacy and regulatory compliance violations, as well as data breaches.

"Gillette is confident that Veriphyr's privacy breach detection and user access compliance services will support our commitment to protecting our patients' PHI." - Paul Hibgy, Change Management and IS Security for Gillette Children’s Specialty Healthcare

“We are excited that our affiliation with Children's Miracle Network Hospitals has resulted in this generous donation from Veriphyr and we look forward to partnering with them on access control efforts going forward,” Paul Hibgy, Change Management and IS Security for Gillette Children’s Specialty Healthcare.

Gillette Children’s Specialty Healthcare is an independent, not-for-profit hospital located in St. Paul, Minnesota, with clinics in Duluth, Burnsville, Maple Grove, Minnetonka, and services for adult patients at their St. Paul - Phalen Clinic. Gillette is uniquely focused on treating children with disabilities and complex medical conditions.

"Every child deserves to have their medical privacy protected. We are pleased to be able to donate Veriphyr services to Gillette Children’s Specialty Healthcare through our partnership with Children’s Miracle Network Hospitals." - Alan Norquist, CEO of Veriphyr

The Veriphyr solution, delivered as a secure cloud service, delivers reports on privacy breaches and inappropriate access to patient data in all EMR, clinical, or business applications within days, not months. It requires no changes to a hospital’s IT infrastructure and no on-site software or hardware.

"The Veriphyr service helps healthcare organizations identify privacy and security problems that could result in identity theft or a loss of medical privacy." - Clark Sweat, Chief of Corporate Partnerships for Children’s Miracle Network Hospitals

“We are extremely pleased Veriphyr has joined our cause to help deserving institutions like Gillette Children’s Specialty Healthcare,” said Clark Sweat, Chief of Corporate Partnerships for Children’s Miracle Network Hospitals.

About Gillette Children’s Specialty Healthcare
Gillette, an independent, not-for-profit hospital and clinics, is internationally recognized for its work in the diagnosis and treatment of children and young adults who have disabilities or complex medical needs. Gillette’s mission is to help children, adults and their families improve their health, achieve greater well-being, and enjoy life. For more, visit www.gillettechildrens.org.

About Children’s Miracle Network Hospitals (CMNH)
Children’s Miracle Network Hospitals (CMNH) is a non-profit organization that raises funds for children’s hospitals, which in turn, uses the funds how they are needed most. . CMNH has raised over US$4 billion which is distributed directly to a network of 170 hospitals across North America. www.childrensmiraclenetworkhospitals.org.

About Veriphyr
Veriphyr is a leading provider of Identity and Access Intelligence (IAI) that enables organizations to discover data privacy breaches and inappropriate access to data in applications, databases, and systems. Veriphyr uses data analytics to transform identity, rights, and activity data from commercial and custom applications into actionable intelligence for privacy, compliance, risk, and security management.

Editorial Contact:
Marc Gendron
Marc Gendron PR
781-237-0341
marc@mgpr.net


###
Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Share