Former Company Executive Causes Breach Affecting Nearly 38,000

A recent breach affecting 37,636 individuals has been attributed to a terminated company executive. The information in the file included name, age, sex, race, county and state of residence, and zip code, as well as Medicare beneficiary information, such as Medicare eligibility period, spend information, and hierarchical condition category risk score.

This breach highlights some of the top security and privacy challenges covered entities and business associates face with insiders.

Texas-based accountable care organization Premier Patient Healthcare in a report filed to the Maine attorney general’s office, described the June 2020 incident — that was not discovered until April 2021 — as “insider wrongdoing, loss or theft of device or media (computer, laptop, external hard drive, thumb drive, CD, tape, etc.).”

Breach Details

In a sample notification letter provided to the Maine attorney general’s office, Premier says that on April 30, it discovered evidence indicating that a former executive of Premier had accessed its computer system after the termination of his employment and had obtained and accessed a file containing health information.

Vendor Involvement?

A data security incident notice posted on Premier’s website offers a slightly different description of the incident, implying that a third-party technology vendor was also involved in the breach.

In that statement, Premier says that on April 30, “Wiseman Innovations, a technology vendor of Premier Patient Healthcare, discovered evidence indicating that a former executive of Premier and its contracted technology vendor obtained and accessed a file containing sensitive health information in July 2020, after the termination of their employment.”

Steps to Take

Immediate steps need to be taken if an employee gives notice or has their employment terminated. HR and IT should ensure the following steps are taken:

  • Terminate all access to PHI and sanitize employee-owned devices
  • Ensure all company-owned devices and media are accounted for
  • Remove remote access capability to cloud storage services
  • Ensure that company emails are not being forwarded to a private account

The danger of insider theft isn’t attracting the headlines that it once did, but that doesn’t mean that it’s no longer a threat. If you have questions about IT security and how to protect your patient’s information, call ITPAC today.