Data Breach From Former Hospital Employee Goes Class Action
Data Breaches that come from insiders of an organization
We hear about data breaches from cyber attackers on the web all the time. In the last two years, the healthcare industry has been rocked by more attacks than ever before. One only has to look for Anthem or Premera data breaches to see how many people have been affected.
Hospitals have also seen an increase in cyber attacks. Many have fallen victim to malware or even ransomware where the hospital is locked out of their computers until they pay the hackers. This happened at 14 different hospitals here in the United States during 2016.
While hospitals are hard at work to prevent online attackers, they cannot afford to lose site of another possible threat, a breach from within the organization.
Flowers Hospital data breach goes class action
An Alabama hospital, Flowers Hospital in Dothan, is one of the latest examples of a data breach to go class action due to the actions of a former employee. The class action alleges that the former employees got together and stole patient information which was then used to file more than 100 fraudulent tax returns.
73 of the tax returns went through attempting to defraud the IRS of approximately $536,000 dollars. While the IRS was able to stop most of the fraudulent refunds, $18,915 dollars still managed to get issued to the data thieves. The thieves were eventually caught and one of them pleaded guilty to stealing the data and committing identity theft.
Advice from Steven Teppler about Insider Threats
Attorney Steven Teppler of the Abbott Law Group notes that despite the attention that cyberattacks and external threats are getting, healthcare entities cannot afford to lose focus on preventing and detecting breaches involving insiders, or insider’s credentials.
The Flowers Hospital case “is a public service announcement to healthcare providers – make sure you have your house in order” in terms of dealing with insider threats, Teppler says.
“You want to look at after-hour [data access] activity on a random sampling basis to find out what computers, what network nodes are involved in out-of-band activity being copied, sent and received,” he says. “You want to watch traffic patterns and people patterns.”
It is also important to look at the least information principle which has to do with privileges and access to sensitive data. The rule states that a person should only have the minimal amount of access to a computer network to get their job done and that is it. Employees should not have access to every module or database if their job titles does not work in those areas.
If hospitals do not adapt and implement the security measures to keep both their patients and employees safe from having their personal information stolen, then they could be held liable for damages.