Saturday, January 29, 2011

Medical Identity Theft by Pharmacy Employee Results in 2 Year Jail Sentence

On January 25, 2011, a former pharmacy benefits analyst was convicted of health care fraud and sentenced to 24-month in prison, four-years of supervised release, and $24,679.48 in restitution to Medicaid and Presbyterian Health Care Services (PHS).
The defendant had "no job reason" to enter the company's computer database to generate checks using the personally identifiable information (PII) of patients.
Between May 2008 and June 2008, the PHS pharmacy employee created fraudulent checks with the names and member IDs of legitimate PHS customers. She then changed the payee name to that of her friends and relatives who cashed the checks and turned the proceeds over to her.
Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.
(a) Albuquerque woman receives 24-month prison sentence for identity theft and health care fraud conviction - U.S. Department of Justice, January 25, 2011
(b) United States Of America, Vs.Christine Horning, Indictment - U.S. Department of Justice, April 14, 2010

Tuesday, January 25, 2011

Insurance Company Fined by Attorney General for Violations of Security Breach Notice Laws

The Attorney General of Vermont filed a complaint and proposed settlement regarding the loss of protected health information by Health Net, Inc., and Health Net of the Northeast, Inc.

The settlement includes a fine of $55,000, a mandatory data-security audit, and reports on the company’s information security programs for the next two years.

Previously Health Net had been fined $250,000 to settle a HIPAA lawsuit by the Connecticut Attorney General and fined $375,000 by Connecticut Insurance Department over a health information breach.(b)
"Companies must be careful to prevent Vermonters’ sensitive information, especially their medical records, from falling into the wrong hands." - Vermont Attorney General William Sorrell (a)
Learn how the Veriphyr Identity and Access Intelligence service effectively prevents or quickly detects inappropriate access to electronic medical records.

(a) Attorney General Settles Security Breach Allegations Against Health Insurer - The office of the Attorney General of Vermont, 1/2011
(b) Health Net Fined Again for Breach - Healthcare Info Security, 1/2011

Sunday, January 23, 2011

Public and Doctors Agree on Importance of Medical Privacy

Revealing survey by the Markle Foundation on the importance of breach notification when medical records are improperly accessed, as well as, a patient's right to review who has accessed their medical information.

Medical Breach Notification
Over 80% of doctors and the public said it was important "individual patients be notified if their information falls into unauthorized hands" - Merkle Foundation, 12/2010

(Merkle Foundation, 12/2010)
Patient Review of Medical Record Access Log
Over 70% of doctors and the public said it was important "patients be able to review who has had access to their personal health information" - Merkle Foundation, 12/2010
(Merkle Foundation, 12/2010 )
Meet the challenges of detecting inappropriate access of electronic medical records with the Veriphyr Identity and Activity Analytics Service - the first hosted, on-demand data privacy audit solution, so there is no site-deployed software or hardware.

For more of the results from the Markle foundation poll go to: "Markle Survey: Public and Doctors Agree on Importance of Specific Privacy Safeguards - Merkle Foundation, 12/2010"

Friday, January 21, 2011

After the Affair - Patient Asks if Lover Snooped Her Electronic Medical Records (EMR)

A woman, "Jane," had a brief relationship with a married family physician who practiced at a Burlington, Vermont hospital.

Later Jane became suspicious that the doctor misused his doctor privileges to snoop through her electronic medical records without her permission.

Jane exercised her HIPAA right to request an audit of everyone who had accessed her records and lodged a complaint with the Vermont Board of Medical Practice.
The state medical board discovered the doctor had inappropriately accessed Jane's records plus seven other women who weren’t his patients — a violation of HIPAA.
A stipulation and consent order signed in February 2010, reprimanded the doctor with a six-month suspension and his medical license was “conditioned” for five years.

Jane questions why the Hospital took two years to discover her privacy was breached, and then only after she notified the hospital of her suspicions?"
Reduce your exposure to fines and lawsuits through more effective monitoring of access to personal health information. Download the medical privacy breach detection white paper to learn how Veriphyr identity and access intelligence addresses user access vulnerabilities related to HIPAA security and Meaningful Use objectives.
The hospital has since deployed a $58 million electronic medical records (EHR) system which, they say, doesn’t make snooping impossible, but far less likely to escape detection.
They do know that we do this auditing on a regular basis, and they know that if they go someplace where they’re not supposed to be, they could be caught.” - Hospital CIO
(a) "How Secure Are Medical Records in the Age of Digital Record Keeping?" - Seven Days, 02/2010
(b) "State of Vermont Board of Medical Practice In Regard to Joshua Aaron Welch MD Stipulation and Consent Order" - State of Vermont Board of Medical Practice, February 2010

Thursday, January 20, 2011

Excessive Access Rights + Disgruntled Employee = Trouble

Excessive user access privileges let a disgruntled employee cause $7 million in damages. The trusted employee was a wiz at fixing any IT problem so she accumulated privileges far beyond her job requirements. When the company outsourced IT, she planted logic bombs that crashed racks of servers after she left the company.
"There is this tendency to give these people more privileges than they need because you never know when they'll need to be helping someone else out." - Larry Ponemon, Ponemon Institute
Learn how the Veriphyr Identity and Activity Analytics Service discovers users with excessive access privileges so you can avoid "privilege creep" disasters.
This is what happens when privileges are granted to an individual to handle a specific task but are not revoked when the person no longer needs them. - Larry Ponemon, Ponemon Institute
The company continuity plan kicked in and they switched to their backup servers, but the woman had put logic bombs on the backup servers. It was very difficult for the company figure out the problem and recover because the crashes seemed to have no common cause.
"A malicious employee [who's] angry can do a lot of damage in a way that's hard to discover immediately and hard to trace later. " - Larry Ponemon, Ponemon Institute
(a) Security Fail: When Trusted IT People Go Bad - Computerworld, Jan 18, 2011
(b) Ponemon Institute

Wednesday, January 19, 2011

Jail Time for Inappropriate Access to Personal Identifying Information (PII)

A Tulsa, Oklahoma hospital worker was sentenced by U.S. District Judge James Payne to three years and nine months in prison because she "exceeded her computer-access authority" to steal personal identifying information (PII) from hospital computer systems. Her co-worker was sentenced to five years of probation with the first six months on home detention. (a & c)

Over six months, the pair violated the privacy of 60 patients by using patient names, date of birth, and Social Security numbers to obtain credit cards and make purchases with them.
Law enforcement authorities made the hospital aware of "an investigation into allegations that a limited number of patient information sheets were wrongfully accessed by two former employees."- Spokeswoman for St. Francis Hospital (c)
Download the Veriphyr white paper on the challenges of detecting insider abuse and how Veriphyr meets security objectives for patient data privacy and user activity.
"an internal investigation was conducted in full cooperation with authorities. Later, federal investigators identified the 60 individuals whose information had been stolen. All of those people were contacted by the health system and as an additional safeguard, we provided identity theft monitoring and protection services for those affected."- Spokeswoman for St. Francis Hospital (c)
(a) Tulsa woman sentence nearly 4 years for credit-card fraud - Tulsa World, November 2010
(b) Federal Grand Jury Criminal Indictments Announced - April 7, 2010
(c) Hospital patient ID theft alleged - Tulsa World, April 2010

Monday, January 17, 2011

2011 Predictions from Gartner's Earl Perkins

Earl Perkins of the Gartner Group predicts the rise of IAM analytics, certification and other business-oriented services related to IAM. And that these new areas mean new parts of a company's management team will get involved in decisions on IAM products and services.
"The intelligence derived from identity access and administration will become more valuable (for the business anyway) than the functions of access and administration." - Earl Perkins, Gartner Group
For more on the column see: Identity in 2011: Anything but Dull - Gartner Group Blogs, January 2011

Learn more about Veriphyr Identity and Access Intelligence the first identity and access intelligence service to detect enterprise user access vulnerabilities and privilege abuse with a hosted, on-demand delivery model.

Manager Snooped on Electronic Medical Records (EMR) of Over 400 Female Patients

An data quality manager was sentenced to jail for snooping on the medical records of 413 female patients over a 9 month period.

How did he invade patient privacy 597 times without detection? How did his behavior go unnoticed when he came in on weekends for the sole purpose of satisfying his "idle curiosity"?
This Peeping Tom looked at the electronic medical records of:
  • A female co-worker who had spurned his advances.
  • A former girlfriend
  • Several women he had gone to school with
  • The deceased husband of a female colleague
  • and 409 other female colleagues, family, and friends
Caught by Happenstance
He was finally exposed after 9 months because a manager at one of the GP surgeries chanced to notice the suspicious access. In September the manager pleaded guilty to seven counts of breaching the Computer Misuse Act 1990. In October he was sentenced to six months' imprisonment, suspended for two years.

Systematically Detect Inappropriate Access to Patient Data
Learn how Veriphyr Identity and Access Intelligence prevent or quickly detect inappropriate access to patient electronic medical records.

(a) NHS manager spared jail after snooping on more than 400 patient records - Hull & East Riding, 10/5/2010
(b) Snooping NHS manager thrown before the judge - TechEye.Net, 9/22/2010
(a) The NHS IT worker who snooped on hundreds of patients' records - Yorkshire Post, 9/16/2010

Thursday, January 13, 2011

3 Fired at Tucson's University Medical Center for Inapproriately Accessing Electronic Medical Records (EHR)

Three healthcare workers at the Tucson's University Medical Center were fired for inappropriately accessing the electronic medical records (EMR) of victims in the shooting spree that wounded 13, including U.S. Rep. Gabrielle Giffords (D-Ariz.).
University Medical Center .. has terminated three clinical support staff members this week for inappropriately accessing confidential electronic medical records. A contracted nurse also was terminated by the nurse’s employer. We are not aware of any confidential patient information being released publicly. The families of all patients whose information was accessed have been notified.."
- University Medical Center - Tucson, AZ - Incident Command Site (a)
Hospital spokeswoman Katie Riley confirmed the firings involved records of patients connected with shooting of U.S. Rep. Gabrielle Giffords. (b)

(a) University Medical Center - Tucson, AZ - Incident Command Site - Jan. 12, 2011, 12:30 p.m.
(b) 3 UMC workers fired for invading records - Arizona Daily Star, Jan. 13, 2011.

"Snooping" of Electronic Medical Records (EMR) at the National Health Service (NHS) in England

Freedom of Information (FoI) requests by the Yorkshire Post forced the release of dsciplinary records by the National Health Service (NHS) in Yorkshire, England.

The records exposed dozens of healthcare workers and public servants caught inappropriately accessing electronic health records (EHR) and other personally identifiable information (PII).
A cleaner was caught accessing the private medical records of a friend to determine that she had recently had an abortion.. - Yorkshire Press (a)
Snooping for Profit and Curiousity - Both Innocent and Not So Innocent
A hospital receptionist tried to profit from her snooping by using patients' personal contact records in her second job as a market researcher. A nurse accessed the private medical test results of her daughter's father. A clerk was disciplined for looked up her brother's test results. A hospital staff member trying to send a birthday card to a relative was caught checking for the hospital ward they were on.
A hospital staff member accessed the electronic medical records (EMR) of an ex-partner's new partner.. - Yorkshire Press (a)
Learn how Veriphyr Identity and Activity Analytics effectively prevents or quickly detect inappropriate access to patient information.

(a) Exclusive: Scandal of computer snooping by public servants - Yorkshire Post, January, 2010
(b) Yorkshire trusts admit data breache -, January, 2010

Wednesday, January 12, 2011

EMR/EHR Software to Reach $3.8 Billion in 2015

IDC reports healthcare spending on software for electronic medical records (EMR) and electronic health records (EHR) is expected to grow to $3.8 billion in 2015 from $2 billion in 2009.

IDC's report, U.S. Electronic Health and Medical Records 2009-2015 -- Meaningful Use Spending Forecast and Analysis, focuses on the effect of the federal government's incentive programs for the adoption of meaningful use of EMR/EHR.

The report also highlights the growth of on-demand applications and storage to speed deployment and reduce the total cost of healthcare IT by converting it from a capital expenditure (CAPEX) to an operational expenditure (OPEX).

"The incentives provided by ARRA as well as the future penalties for non-implementors ... will fuel investments in electronic medical records (EMR) and electronic health records (EHR) and other enabling technologies." - Judy Hanover, research director for IDC Health Insights

Learn how to rapidly achieve meaningful use of EHR/EMR with Veriphyr on-demand service for privacy breach detection and user access compliance.

(a) U.S. Electronic Health and Medical Records 2009-2015 -- Meaningful Use Spending Forecast and Analysis - IDC, December, 2010

Tuesday, January 11, 2011

User Access Security Vulnerabilities "Could Lead to Unfit Airmen Being Medically Certified to Fly" - DOT Inspector General

The Department of Transportation reported serious user access security vulnerabilities in the Federal Aviation Administration's (FAA) medical record systems.

According to the report, the FAA is not ensuring each user’s level of access is "commensurate with a need to know" and is not removing access once an employee changes jobs or is terminated.

The FAA airmen Medical Support Systems (MSS) contains the medical records of over three (3) million commercial and private pilots.
The potential falsification of medical certificates "could lead to unfit airmen being medically certified to fly." - Rebecca C. Leng, Assistant Inspector General
Inappropriate Access of PII and User Access Vulnerabilities
According to the report,the medical records system cannot detect inappropriate user access to personally identifiable information (PII). For example, while staff is authorized to access airmen PII to conduct medical examination, "accessing airman medical records for personal reasons is not appropriate and needs to be deterred."

Moreover, the names, addresses, Social Security numbers, medical data, and other PII of airmen are not properly secured to prevent unauthorized access and use.

Finally, former medical staff continued to have access to electronic medical records (EMR) even after their employment was terminated

Combined, the reports stated, these and other weaknesses make airmen’s personally identifiable information vulnerable to unauthorized access and use.
"To ensure aviation safety and protect the privacy of airmen, it is critical that this medical information be secure." - Rebecca C. Leng, Assistant Inspector General
On-Demand Service Detects Inappropriate User Access and Vulnerabilities(a)
Fortunately there is a new breed of on-demand identity and activity analytics that can identify terminated employees, excessive access rights, and inappropriate access using information an organization already has.

Moreover the Veriphyr pay-per-use identity and activity analytics service can be implemented in a matter of days not months, quickly mitigating the risk of inappropriate access to medical records or other sensitive data.

Learn how the Veriphyr Identity and Activity Analytics Service effectively prevents or quickly detects sensitive data loss or theft, even access by terminated employees.

(a) Information security and privacy controls over the airmen medical support system - Report Number: FI-2010-060 at, June 18, 2010

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at