The alleged theft of mental health information on more than 28,000 patients in Texas, which went undetected for well over a year, is yet another reminder of the substantial risks that terminated employees can pose as well as the need to take extra steps to protect the most sensitive patient information.
The Center for Health Care Services, a provider of mental health services and substance abuse treatment based in San Antonio, Texas, is notifying 28,434 patients whose data was apparently stolen when a former employee allegedly took the information after he was fired in 2016, according to a statement issued by the center.
"A former employee of CHCS was discovered to have secretly taken personal health information from CHCS on his personal laptop computer at the time his employment was terminated on May 31, 2016," the statement says. "The discovery was made on Nov. 7, 2017, as a result of documents produced in litigation between the former employee and CHCS."
CHCS says the compromised data includes patients' Social Security numbers, dates of birth, medical records numbers, dates of services, referral information, progress notes, types of services, diagnoses, medications, lab and toxicology reports, autopsy reports, death certificates, treatment plans and discharge and death summaries.
"CHCS does not currently believe there are any steps individuals need to take to protect themselves from potential harm resulting from the breach, but will provide further notification if the circumstances change materially," the center's statement says.
The clinic's attorney declined to describe to Information Security Media Group the nature of the litigation between CHCS and the former employee or provide further information.
The breach at the San Antonio clinic is the latest incident spotlighting the risks posed by fired employees and other insiders.
Last week, the Department of Health and Human Services' Office for Civil Rights issued an alert reminding covered entities and business associates of the serious security and privacy risks that terminated employees can pose and offering advice for mitigating those risks.
Among the advice offered by OCR, as well as privacy and security experts, is for organizations to quickly end employees' electronic and physical access to data when they leave their jobs for any reason (see Mitigating Threats Posed by Terminated Employees).
Sensitive Health Data
Some privacy and security experts say the recently revealed incident at the San Antonio clinic is also a reminder of the importance of safeguarding patient's most sensitive health data, such as mental health, substance abuse and HIV status information.
"Healthcare organizations' infosec programs should include data classification," says Kate Borten, president of The Marblehead Group consultancy. "In terms of confidentiality, all PHI is confidential. But mental health and other types of PHI should be treated as highly confidential and deserving of more rigorous security controls.
"Today, we grant electronic PHI access to groups of users, such as nurses and physicians, but access to highly confidential PHI should be restricted to the patient's specific caregivers. Unfortunately, our healthcare system vendors have not yet implemented that level of access control granularity."
Although HIPAA does not parse PHI into different levels of sensitivity, the healthcare industry has long recognized that a breach of mental health information is very likely to be damaging to the patient, Borten says. "Furthermore, federal and state laws pile on the requirements and penalties for such breaches," she adds.
For example, under the federal statute 42 CFR Part 2, healthcare providers participating in federally assisted substance abuse programs have additional requirements for protecting the confidentially of certain patient data. Those include, for example, special requirements for obtaining patients' consent before information is released, plus standards for de-identification of sensitive data.
Meanwhile, in its most recent HIPAA enforcement action, OCR in May issued a hefty financial penalty in a breach case involving sensitive HIV status information of just two patients (see Big Settlement in Privacy Case Involving 2 Patients' HIV Data).
OCR said St. Luke's-Roosevelt Hospital Center in New York City paid $387,000 and agreed to a corrective action plan to settle a case involving "careless handling of HIV information."
Taking Extra Precautions
Healthcare organizations need to be especially careful when handling certain extra-sensitive patient information, says Mac McMillan, CEO of security consultancy CynergisTek.
"All personal health information is important, but information concerning mental health, substance abuse and other similar types of issues can be particularly negative if exposed publicly," he says. "But it also represents an at-risk population for higher risk of exploitation. "So it should garner greater attention."
Entities handling this type of information should have strict policies regarding the use of personal devices, he notes. "They should employ data loss prevention tools to manage/limit data extraction," he says. "There should be elevated or more frequent user audits to identify at-risk behaviors. The problem is getting information back is always harder than stopping it from leaving."