While the breaches were discovered during an audit in April 2014 they had been going on for a year, between April 2013 and March 2014. The former employee's logon credentials to this outside vendor had not been disabled.
"When an employee is terminated, their login credentials to vendors’ databases with PHI must also be terminated. How often do you verify that it is actually being terminated properly?." - PHI PrivacyHealthcare organizations seeking to rapidly confirm all access has been disabled, rather than depending on an occasional audit, can utilize low-cost on-demand SaaS access analytics services.
Learn how to proactively detect identity theft and unauthorized breaches of data privacy, even by authorized users - with no hardware and no on-site software.Sources:
(a) Terminated employee continued to access Bon Secours’ patients’ billing information - www.PHIprivacy.net, 11/10/2014