Saturday, July 30, 2011

Social Security Employee Steals Personal Information for Identity Theft


A US Attorney charged a Social Security service representative with accessing the Social Security database for purposes unrelated to her job function.

The service representative at the West Memphis, Arkansas office allegedly passed the personally identifiable information (PII) on to another person who used it to commit identity theft.
"Identity theft is a serious crime. Government employees with access to personal identification information have a duty to the citizens of this Country to protect that information." - Christopher R. Thyer, US Attorney, Eastern District of Arkansas
The Social Security Administration employee appeared before the Honorable J. Thomas Ray on July 20th for an initial appearance. She was released on her own recognizance. The case will be presented to the next grand jury for indictment.
Learn how an online service proactively detects unauthorized breaches of personal data, even by authorized insiders- with no hardware and no on-site software.
A complaint contains only allegations. The defendant is presumed innocent unless and until proven guilty.

Sources:
(a) West Memphis Social Security Administration Employee Arrested On Federal Complaint - United States Attorney Office for the Eastern District of Arkansas, July 20, 2011
(b) SSA Employee Leaks Dozens of Social Security Numbers - Channel 3 News, July 29, 2011


Tuesday, July 26, 2011

Information Security Luminary Steve Katz Joins Veriphyr Advisory Board

Identity and Access Intelligence SaaS Provider Taps Prominent Financial Services Expert as Strategic Counselor

Veriphyr, a leading provider of Identity and Access Intelligence (IAI), today announced that Steve Katz, one of the leading authorities on information security for the financial services sector, has joined the company as the first member of its Board of Advisors. Mr. Katz will provide strategic technology, go-to-market, and business development counsel to Veriphyr’s management team.

Former CISO at Citibank, JP Morgan, and Merrill Lynch
Mr. Katz is one of the preeminent figures and leading thinkers in matters of financial services information security. He is the former Chief Information Security Officer (CISO) for Citibank, JP Morgan, and Merrill Lynch, and was appointed as the Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury. Mr. Katz is a founder and president of Security Risk Solutions LLC, a leading information security consulting firm.
Veriphyr has developed a very powerful platform for analyzing mountains of identity and access rights, policy and usage data to extract actionable security and regulatory compliance intelligence,” said Steve Katz. “The applications for this technology in the highly regulated and risk sensitive financial services arena are significant. I am looking forward to working with Veriphyr to help them expand their footprint in this market.”
Veriphyr’s identity and access intelligence SaaS solution proactively detects data privacy breaches and inappropriate access to applications, databases, and systems. The company’s advanced data analytics transform identity, rights, and activity data to expose threats and regulatory violations that span privacy, compliance, risk, and security.
Steve Katz is one of the most respected, knowledgeable, and connected information security experts in the financial services industry,” said Alan Norquist, Founder and CEO of Veriphyr. “His decision to join the Veriphyr advisory board gives our technology a major credibility boost in the financial services market. We are extremely pleased to welcome Steve to our team, and are fortunate to have him as a trusted advisor.”
About Veriphyr
Veriphyr Identity and Access Intelligence (IAI) service discovers data privacy breaches and inappropriate access to applications, databases, and systems. Veriphyr applies advanced data analytics to transform identity, rights, and activity data into actionable intelligence for business management in privacy, compliance, and security.

Editorial Contact:
Marc Gendron
Marc Gendron PR
781-237-0341
marc@mgpr.net

Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Thursday, July 21, 2011

What is Sufficient Proof that an Employee Violated Patient Data Privacy?

When a healthcare worker is alleged to have accessed the electronic medical records of a patient who is not under their care, what proof is sufficient? And what is the proper course of action? Your thoughts?

A Real Example with the Names Removed
A former resident physician is suing a hospital over her firing for violating patient data privacy.
  • On June 6, 7 and 10, 2009 she allegedly accessed medical records inappropriately in violation of hospital policy and HIPAA.

  • On July 22, 2009 she was dismissed from the hospital.

  • On June 11, 2010, although she denied any wrongdoing, she entered into a combined statement of charges and settlement with the Board of Medicine. The settlement involved a public reprimand, a civil fine of $2,500, and participation in an ethics program.

  • On July 11, 2011 she filed a petition with the court requesting a jury trial over her dismissal.
She now claims she was terminated with no notice and was given no opportunity to respond to the allegations. How could the proof be insufficient such that she could dispute the improper access? What would be in debate?

For more details see the Board of Medicine's Statement of Charges and Settlement Agreement.

So what do you think? What constitutes proof when the person being charged denies they looked at a patient’s electronic health information improperly?

Share your thought in the comments.

Sources:
(a) Iowa Board of Medicine's Statement of Charges and Settlement Agreement - Iowa Board of Medicine, June 11, 2010
(b) Former Mercy resident physician suing hospital over firing - Mason City Globe Gazette , July 13, 2011


Wednesday, July 20, 2011

Healthcare Insider Blamed by Identity Theft Victim

Press Reports on Senior Citizen's Efforts to Clear Her Name

Daily News Photo by Jeffrey Langloi
A local paper details the trials of identity theft victim who blames inappropriate access to her medical records as the source of her problems.

You can argue with the victim that an insider theft at a healthcare organization may not be the source of her problems, but the perception of this patient and the press demonstrates the public's perception of the personal health information privacy.
"She suspects someone with access to her medical records may have sold the basic information needed to tap into her good name and credit history." - Margie Kacoha, Reporter for Palm Beach Daily News
Her problems started in 2009 with someone trying to open a credit card account in her name and is still going on with a cable company pursuing her via a debt collection company.
"It’s insanity, I tell you. The amount of time I have put in to clear my name is just unbelievable." - Leila Warren, Identity Theft Victim
For the complete story see: ID theft victim recounts fight to clear her name
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized access to health records and financial data, even by authorized users - with no hardware and no on-site software.
Sources:
(a) ID theft victim recounts fight to clear her name - PalmBeach Daily News, July 5, 2011


Tuesday, July 19, 2011

Alabama Regional Medical Center Victim of Patient Information Theft

An unknown individual stole patient medical records from a regional medical center in Troy, Alabama. The hospital has mailed letters to approximately 880 patients affected, all of whom were born between 1988 and 1992.

The authorities believe this and other thefts from hospitals in Georgia and Alabama are related to fraudulent tax returns filed with the Internal Revenue Service.
"We greatly regret this incident and we are committed to protecting our patients’ information and to providing assistance to protect the personal information of the patients affected. - Chief Executive Officer and Administrator, Troy Regional Medical Center
The hospital only learned on May 20, 2011, that patients’ personally identifiable information, had been stolen. The data includes name, address, date of birth, social security number, and medical record number, but not treatment or diagnosis.
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
The hospital has done its own internal investigation and enhanced its safeguards and procedures, including the immediate, mandatory training of all employees regarding the protection of patient information.

Sources:
(a) Troy Regional Medical Center Notifies Patients of Data Theft - Troy Regional Medical Center(TRMC), July 6, 2011


Monday, July 18, 2011

Georgia Hospital Victimized by Theft of Patient Information

An unknown individual stole patients' medical records from a hospital in Dekalb County, Georgia.

The Secret Service brought the matter to the hospital’s attention because this and other thefts in Georgia and Alabama are related to fraudulent tax returns filed with the Internal Revenue Service.
"We take this matter very seriously and are taking steps designed to minimize the possibility of such an event occurring in the future. - President and CEO, DeKalb Medical.
The hospital only became aware of the data theft recently even though the thefts involve patients seen between July and October 2010. The hospital has mailed letters to approximately 7,500 patients whose personally identifiable information (PII) may have been taken.
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) DeKalb Medical Reports Theft of Patient Information - DeKalb Medical Atlanta Hospital and Medical Center , July 15, 2011
(b) DeKalb Medical Reports Theft of Patient Information - DeKalb Medical Atlanta Hospital and Medical Center , July 15, 2011


Sunday, July 17, 2011

Hospital Victimized by Secretary's Unauthorized Access of 188 Electronic Health Records

A temporary secretary illicitly read nearly 200 patients' medical records while working at the Haartman Hospital.

Just last week patients of the hospital were sent a letter of apology, even though the hospital and the Helsinki police had discovered the data breach over a year ago. A criminal investigation is currently ongoing.
The viewing of patients’ medical records is increasingly common in Finland. - Reijo Aarnio, Ombudsman at the Office of the Data Protection
One person who received a letter was quoted as saying, ”It feels like that any summer intern can get into Haartman hospital’s database. Unbelievable!”
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) Finland: Patient records illegally accessed at Helsinki hospital - Codewit News, July 17, 2011


Saturday, July 16, 2011

Health Clinic Victimized by Employee Stealing Patient Data for Identity Theft

An administrative assistant for a tuberculosis program stole patient data while working at the Metropolitan Health District clinic in San Antonio, Texas.

The administrative assistant, who got his job through a temp agency, pleaded guilty to conspiracy to commit identity theft and faces up to five years in prison.

This was not his first time misusing stolen information, court records said he used stolen information to buy a 2004 Harley-Davidson motorcycle in 2004.
Download a white paper on medical records privacy breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Time time the administrative assistant and his partner used the stolen information to buy a 2003 Chevrolet Silverado, the Corvette, a 2009 Harley Davidson, a 2005 Cadillac CTS, a 2006 Chevrolet Avalanche, jewelry, a 2007 Cadillac Escalade and a 2009 Dodge Caliber.

Sources:
(a) Ex-city workers used stolen IDs in costly spree - express-news.net, July 12, 2011


Friday, July 15, 2011

Hospital Employee Stole Patient Records for 2 Years to Commit Identity Theft and Credit Fraud

Yet another hospital has been victimized by an employee stealing patient data for the purposes of identity theft and credit card fraud.

According to this week's indictments, an employee at a university medical center in Baltimore, Maryland stole identity information from patient files for 2 years before being caught.

The employee and 3 co-conspirators used the stolen patient data to open credit accounts and to access the victims existing accounts.
"The defendants are charged with preying upon seriously ill hospital patients and their families by using their personal information to access their credit accounts and even to open new credit accounts using their identities." - Rod J. Rosenstein, United States Attorney for the District of Maryland
The hospital only became aware that patient data had been regularly stolen from July 2009, through June 2011 when contacted by Baltimore City Police Department and the U.S. Postal Inspection Service. The hospital suspended the employee in question and cooperated with law enforcement in the investigation.
Download a white paper on medical records breach detection as a service. Learn about a service that proactively identifies unauthorized breaches of patient privacy, even by authorized users - with no hardware and no on-site software.
Each of the defendants faces a maximum sentence of 30 years in prison. The hospital employee faces a mandatory two years in prison, consecutive to any other sentence imposed, for each of four counts of aggravated identity theft.

An indictment is not a finding of guilt. An individual charged by indictment is presumed innocent unless and until proven guilty at some later criminal proceedings.

Sources:
(a) Hospital employee and three others accused of stealing patients' identities - The Baltimore Sun, July 14, 2011
(b) Former Hospital Employee and Three Others Indicted in Identity Theft Scheme - United States Attorney for the District of Maryland, July 14, 2011


Thursday, July 14, 2011

Feature Story on Patient Data Privacy Breaches in Colorado Spring Newspaper

If you are interested in what the general public is reading about patient data privacy breaches, The Gazette of Colorado Springs has a feature article on medical records snooping.

This is a follow-up to their story about the city nurse who was caught snooping on 2,500 patient records.

Here is one of the many interesting quotes in the article.
"When personally identifiable health information is disclosed to an employer, insurer, or family member, for example, the disclosure can result in stigma, embarrassment, and ... and/or other psychologically harmful results." - "Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research" by the Institute of Medicine
What are your thoughts on how this issue is presented to the general public?

For the entire article see: http://bit.ly/TheGazette

Download a white paper on medical records privacy breach detection as a service. Learn how an on-demand, pay-per-use service can cost effectively address the HIPAA/HITECH privacy and security rules - with no hardware and no on-site software.


Wednesday, July 13, 2011

Can Patient Privacy be Secured when Hospitals Needs to Give Non-Employees Access to the EHR?

A Colorado Springs city employee who was authorized to access a local hospital's EHR as part of her job is alleged to have snooped on 2,500 electronic medical records that were unrelated to her job.

How can a hospital maintain patient data privacy when it needs to allow non-employees healthcare workers access to the hospital's medical records? Given the drive toward health information exchanges (HIE) how can hospitals protect their patients' data privacy? Your thoughts?
"From my understanding, she was accessing the [electronic medical] records when she wasn’t at work. She wasn’t doing it as part of her job." - Hospital Spokesman
The city employee had worked as an occupational health nurse for eight years. As part of her job she was authorized to access the hospital's medical records related to her patients.

The nurse had signed forms agreeing to abide by HIPAA/HITECH privacy requirements, but according to a reporter at The Gazette, a local newspaper, the nurse did admit to accessing the electronic medical records for personal reasons, such as looking up the phone number of a friend that she had lost.
"“I guarantee that accessing the [medical records] database for stuff like that is rampant in the medical community. If you talked to other medical people, you’d find out that it’s pretty damn common." - Nurse accused of unauthorized access
The Hospital only learned of the 2,500 privacy breaches when it was notified by the city. The nurse's supervisor raised a concern because of unusual patient access activity by the nurse, including a high frequency of access and access from unusual locations.

The nurse claims her supervisor was fishing for an excuse to fire her after the nurse's 'psychic' abilities revealed her supervisor had a life-threatening condition. The nurse admits to looking at the supervisor's medical records to see if the supervisor heeded her advice and sought treatment.

As a results the hospital is looking into a software service to more quickly alert hospital officials to unusual activity surrounding electronic medical records.

Sources:
(a) Memorial Patient Records Improperly Accessed - Memorial Health System, July 11, 2011
(b) 'Psychic' nurse says she is unfairly targeted in hospital records case - The Gazette, July 11, 2011


Thursday, July 7, 2011

UCLA Health System Agrees to Pay $865,500 for Snooping of Celebrity Medical Records

The UCLA Health System (UCLAHS) agreed to pay federal regulators $865,500 for violations of HIPAA, according to a press release from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The settlement covers the breach of patient privacy involving two celebrity patients who had filed separate complaints with the OCR.
"Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections." - OCR Director Georgina Verdugo
While regulators and hospital management decline to disclose the identity of the celebrities, the fine covers 2005 to 2009. During those years hospital employees were fired for snooping on protected health information of celebrities such as Farrah Fawcett and Britney Spears.
"Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity." - OCR Director Georgina Verdugo
OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.
Learn about a proactive privacy breach detection service. Read a whitepaper about an automated solution that proactively discovers breaches of patient privacy - with no hardware and no on-site software.
The HHS Resolution Agreement and CAP can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/UCLAHSracap.pdf

Sources:
(a) University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities - U.S. Department of Health and Human Services Press Release, July 7, 2011


Wednesday, July 6, 2011

Retailer's Employee Breaches Customer Data Privacy

Another retailer victimized by an employee exploiting his insider access to steal and misuse the personal data of customers.
"Recently we discovered that an individual working at an Apple Retail Store accessed credit card information of some Apple customers." - Doug Vetter
The letter to the Attorney General of New Hampshire states that the employee was arrested and fired but provides no details on the crime or what resulted from the arrest.
Learn about Identity and Access Inteligence as a service. See how an on-demand, pay-per-use service analyzes identities, privileges, and user activity to detect snooping into sensitive data. - with no hardware and no on-site software.
Sources:
(a) Apple Letter to New Hampshire Attorney General - New Hampshire Department of Justice, June 16, 2011


Patient Data Privacy Survey - Compliance and Security

Survey Reveals Leading Source is Employees Snooping into Medical Records
Veriphyr announces the results of new survey on Protected Health Information (PHI) privacy breaches. According to the findings, more than 70 percent of the organizations in the study have suffered one or more breaches of PHI within the last 12 months.

Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives.

The report, entitled “Veriphyr’s 2011 Survey of Patient Privacy Breaches,” summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers. A complimentary copy is available here (registration required).

Respondents were queried on their perceptions of privacy and compliance initiatives within their organization, adequacy of tools to monitor unauthorized access to PHI, and the number and type of breaches sustained in the past year.
Given that data breaches of patient information cost healthcare organizations nearly $6 billion annually, we were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized last year,” said Alan Norquist, CEO of Veriphyr.

However, we did not expect the prevalence of insider abuse reported, and that nearly 80 percent of the respondents feel they lack adequate controls to detect PHI breaches in a timely fashion.”
Some of the report’s key findings include:
  • Top breaches in the past 12 months by type:
    • Snooping into medical records of fellow employees (35%)
    • Snooping into records of friends and relatives (27%)
    • Loss /theft of physical records (25%)
    • Loss/theft of equipment holding PHI (20%)
  • When a breach occurred, it was detected in:
    • One to three days (30%)
    • One week (12%)
    • Two to four weeks (17%)
  • Once a breach was detected, it was resolved in:
    • One to three days (16%)
    • One week (18%)
    • Two to Four weeks (25%)
  • 79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI
  • 52% stated they did not have adequate tools for monitoring inappropriate access to PHI
Editorial Contact: Marc Gendron, Marc Gendron PR, #781-237-0341, marc@mgpr.net
Learn about a medical records abuse detection service that proactively identifies patient data privacy abuse, even by authorized users - with no hardware and no on-site software.
Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Tuesday, July 5, 2011

Will Your Employees Be Bribed to Steal Patient Data?

NOTE: Click here if you are looking for the blog
"Hospital Balances Patient Privacy Rights and Victim's Rights".

A hospital was victimized by a trusted employee who was enticed into stealing patient data by the promise of a few thousand dollars.

What are you doing to help your employees avoid the lures of organized crime? Do your employees feel they are certain to be caught if they steal patient data?

Corrupted by the promise of $4,000, a surgical instrument technician at a Pittsburgh hospital stole patient names and Social Security numbers. The criminals who recruited him used the patient data to file unauthorized tax returns to claim $84,190 in tax refunds.
""He did not know that these numbers were going to be used for fraudulent tax returns. He's ... almost a victim himself." - Attorney Anthony Bittner, who represents the defendant
The hospital technician, who said he never received the promised cash, plead guilty to unauthorized disclosure of personal medical information in violation of the HIPAA federal law. He faces up to one year in prison and a fine of $50,000. The people who corrupted him escaped prosecution by fleeing the country.

The crime was detected when patients of the hospital discovered that their tax returns already had been filed, they alerted the U.S. Postal Service, IRS and U.S. Secret Service. Those organizations conducted an investigation that led to the indictment in this case.

Download a white paper on medical records privacy breach detection as a service. Veripyr delivers a credible detective control that discourages employees from violating patient privacy - with no hardware and no on-site software.
Sources:
(a) Zambian man pleads guilty to identity theft of hospital patients - Pittsburgh Post-Gazette, July 1, 2011
(b) Former UPMC Shadyside Hospital Employee Pleads Guilty to HIPAA Violation - US Attorney's Office, Western District of Pennsylvania, June 30, 2011


Saturday, July 2, 2011

$19 Million Embezzled from CitiGroup by VP with Excessive Access Rights

A former Citigroup vice president in the internal finance department is charged with embezzling over $19 million.

Between July and December of 2010 the defendant allegedly transferred money between numerous Citigroup corporate accounts and his personal account at JPMorgan Chase.
"The defendant allegedly used his knowledge of bank operations to commit the ultimate inside job." - Loretta E. Lynch, US Attorney, Eastern District, New York
The former VP appears to have accrued excessive access rights to sensitive banking systems so he could both authorize and initiate eight large transfers of cash. Excessive access may also explain how he could associate fraudulent contracts and deal numbers with the wire transfers and make them appear to be for existing contracts.

According to the complaint, Citigroup only discovered the fraud many months after it occurred as part of an internal audit of the department.
In the time between the crime and its discovery the defendant allegedly used some of the money to purchase a Maserati, a BMW, and six properties, including a home with a half-million-dollar entertainment system.
For other insider frauds see: Insider Steals $11 Million Despite Separation Duties Controls

Sources:
(a) Former Citigroup Vice President Charged With Bank Fraud For Embezzling More Than $19 Million - US Attorney's Office, Eastern District of New York, June 27, 2011
(a) US Attorney's Office Complaint - US Attorney's Office, Eastern District of New York, June 27, 2011
(a) Arrest in Alleged Citi Fraud Former Employee Charged with Embezzling $19 Million; 'Ultimate Inside Job' - Wall Street Journal, June 28, 2011


Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.