Previously we’ve written about breaches caused by outside sources: cyber criminals and the virulent programs designed to rob you of valuable information. These are faceless criminals off in the distance.
But what happens when the source of the breach is closer to home?
A Florida-based pediatric practice recently had to find out, as Bank Info Security
The Pediatric Gastroenterology, Hepatology & Nutrition of Florida recently had a former administrative employee indicted in federal court for alleged identity theft and fraud crimes. This employee, along with two other individuals not associated with the medical office, have been accused of stealing patient information.
An indictment document cited by Bank Info Security notes that: “It was a part of the conspiracy that the conspirators and others would, and did, steal and obtain stolen personally identifiable information (PII) from Pediatric Gastroenterology, Hepatology & Nutrition of Florida, among other sources. This stolen PII included names, dates of birth, and Social Security numbers, among other things, of the medical practice’s current and former patients, patients’ parents and/or guardians.”
Using this stolen information, the conspirators then allegedly applied for credit cards and lines of credit through which they made purchases or withdrew money.
Bank Info Security reports that this breach affected 13,000 patients.
What it Means
In the aftermath of this breach, Pediatric Gastroenterology took a variety of steps to enhance their security.
Bank Info Security cites the Department of Health and Human Services’ Office for Civil Rights, who noted that they “implemented physical security procedures to reduce the risk of unauthorized access to printed documents and implemented role based access procedures to limit access to electronic protected health information (PHI). The CE also improved administrative safeguards by requiring random background checks on its employees throughout the duration of their employment. The CE also terminated the involved employee’s employment. The employee was criminally investigated for actions related to this breach.”
This breach is just the latest example illuminating the threat insiders can pose for businesses. Setting levels of access for employees to sensitive data is an essential step every business must take. No one should have more access than needed to perform their job responsibilities.
Things like this can slip through the cracks. They may seem like innocent mistakes, but as shown in the example of Pediatric Gastroenterology, the worst case scenario is something you simply don’t want to face.