Of those, 500 breaches have been "major"-each affecting at least 500 individuals-with several affecting more than 1 million. The major breaches have generally occurred outside a health care facility's walls and resulted from a laptop or backup tapes being lost or stolen, or a hard drive or paper records improperly disposed.
But internal threats to protected health information-when employees snoop into medical records of co-workers or VIPs, bring in unauthorized mobile devices, make configuration changes to information systems, send unencrypted information in e-mails to legitimate outside recipients, or unknowingly access a rogue Web site--are far more common than the big breaches that make headlines, I.T executives say.
The University of Arizona Health Network in Tucson had snooping incidents when former Rep. Gabby Giffords was being treated for gunshot wounds following a shooting spree at a meeting with constituents, says Jeffrey MacEwen, the health system's information assurance officer. Some snoopers tried to get around internal security by jumping on workstations and checking Gifford's records after co-workers walked away without logging out of their sessions, he recalls.
Three-hospital Beaumont Health System in Royal Oak, Mich., has terminated a handful of employees this year because they were found to have pulled records of co-workers or VIPs, says Doug Copley, director of corporate information services and information security officer.
While there's always a handful of employees who are criminally curious, most internal breaches of PHI are unintentional, such as an employee transferring records to a flash drive or sending records to a personal e-mail account to work on them from home, or even sending records to a peer for advice, Copley says. "Things happen and most of the time it's not malicious, it's people not knowing the right way to secure the information."
In Joe Goedert’s feature story in the August issue of Health Data Management, information security officers detail working strategies for mitigating internal threats.