Provider Treating Nightclub Shooting Victims Reports BreachOrlando Health Notifies Patients of Records Snooping
A Florida healthcare provider that treated victims of the Orlando Pulse nightclub massacre in June is notifying patients impacted by a breach involving insider record snooping.
Privacy and security experts say the breach highlights challenges many healthcare organizations face in protecting patient data from inappropriate access by insiders, especially during high-profile emergency situations and other crises.
"Snooping - for curiosity and many other reasons - is never going to go away since it's the human condition and we don't have the technology to prevent it," says privacy and security expert Kate Borten, founder of the consultancy The Marblehead Group. "All healthcare organizations carry this risk and must be diligent in limiting access, monitoring access, teaching the workforce that snooping is prohibited, and then sanctioning offenders."
In a letter to patients obtained by Florida TV station WFTV, Orlando Health, which operates several hospitals in central Florida, says: "On July 12, while conducting patient record access audits, we learned that on June 15, an Orlando Health employee accessed patient records outside of the employee's current job responsibilities."
The letter does not specify that patients affected by the breach were victims of the June 12 Pulse nightclub shooting. Nor does the letter indicate how many patients were impacted by the privacy incident.
WFTV reports, however, that patients receiving the letter - and in some cases phone calls - from Orlando Health about the incident were treated for shotgun and other injuries sustained in the attack.
On its website, Orlando Health indicates that 44 victims of the Pulse massacre were treated at its Orlando Regional Medical Center.
The letter notes that the employee "had no reason to access these records and we believe the employee was viewing these records out of personal curiosity. The employee was sanctioned according to Orlando Health policy."
Orlando Health says in the letter that the employee was able to view "limited information" in electronic medical records, including patient name, date of birth, weight, hospital location, hospital account number, hospital medical record number, date and time of admission, physician and visit reason. "The information did not include any other clinical information," the letter notes. "The employee did not have access to your full Social Security number or other financial information. The information was not downloaded or printed, and we have no evidence that your information has been used in any way or removed from the hospital."
While the letter indicates the involvement of one Orlando Health employee, WFTV notes that, "the hospital said in an email .... 'Team members giving in to their personal curiosities violated our policies and steps have been taken internally to discipline those involved.'"
Security Steps Taken After Incident
In a statement, Orlando Health tells Information Security Media Group: "Numerous team members across our system require access to vital records and information in order to provide our patients with the highest levels of care. All team members are also made aware that they too have a responsibility to maintain our patients' privacy and protect their personal information."
The statement also notes, "As a result of this incident, we are re-educating our workforce members and increasing our already vigilant program of auditing and monitoring of patient record access. Any instance of team members accessing patient records outside of their current job responsibilities violates our policies, and steps are taken internally to discipline anyone involved. We want to assure our patients that the policies and procedures we have in place protect their information, and we are continually evaluating and modifying our practices and the practices of our employees to enhance the security and privacy of all confidential and protected health information entrusted to us."
Orlando Health declined to answer ISMG's inquiries related to how many patients were impacted by the breach, whether all the affected patients were victims of the Pulse attack, how many employees were involved, or the type of sanctions issued.
Based on the information contained in the Orlando Health letter to patients, it appears that the organization discovered records had been inappropriately accessed by using a log analysis about one month after the incident occurred.
"Ideally, healthcare organizations should be proactively auditing access to patient information on a regular basis, and there is technology that supports that, but inappropriate access isn't always overtly obvious," says Mac McMillan, CEO of security consultancy CynergisTek. "The fact that Orlando Health, which has a very serious approach to privacy and security, was diligent in its reviews is important."
But the incident might have been detected sooner had the healthcare provider escalated monitoring during the crisis, some experts say.
"Proactive review of audit logs is an important process, but there is no accepted standard for the frequency and method," Borten says. "I would say routine audits should be done at least monthly. But out-of-cycle audits should be done whenever there are circumstances that increase risk of snooping. When high-profile patients are admitted and when a local event leads to patients being hospitalized, specific audits of access to those patients should be performed."
McMillan suggests that healthcare entities "should limit the number of personnel who have access, enable the higher profile flags in the system, set alerts rather than reports to receive notifications quicker of abnormal access, and remind staff of their responsibilities to patient privacy even during emergent situations."
Due to the number of Orlando Health staff members likely involved in treating the Pulse shooting victims, "if the extent of the inappropriate activity at Orlando Health was one individual, that health system and its workforce performed admirably," McMillan says.
Preventing and detecting employee record snooping and other inappropriate information access requires a strong combination of policy, procedures and technology.
For instance, healthcare entities can implement additional privacy precautions during times of crisis. In the immediate aftermath of the April 2013 Boston Marathon bombing incident, Beth Israel Deaconess Medical Center, which treated several victims, as well as one of the bombers, refreshed its privacy reminders to staff, said CIO John Halamka. That included reminders placed on the top of every page of BIDMC's intranet, warning about unauthorized access to patient records, and also about not posting patient information or photos on social media sites. The final warning on the message: "Violation of these regulations and policies will lead to disciplinary action up to and including termination of employment."
"Using a sanction as a 'teaching moment' for the workforce is effective at changing behavior," notes Mark Dill, former longtime CISO at Cleveland Clinic, who's now a principal consultant at tw-Security. "The teaching moment works best when a termination has occurred."
Despite healthcare organizations' employee warnings and training efforts, patient privacy is still a sticky issue for some staff, says Keith Fricke, a principal consultant at tw-Security. "The newest generation of the workforce ... has grown up in a world where everyone freely shares their information on social media. Consequently, they may be less sensitive to the fact that patient privacy is important, needs to be respected, and is governed by laws. Employers need to enforce policies so employees know there are consequences for inappropriate access."
Security technology "can only assist an investigation so far - one-on-one conversations still need to take place," Dill points out. "Compliance, privacy and IT tend to work together to eliminate 'false positives' in the tool-created reports - because every finding has to be investigated and this can quickly overwhelm a limited staff.
"Worker accountability - matched with HR's willingness to apply sanctions - is key; if workers know they can get away with snooping, they may occasionally snoop; if they are certain they will get caught, they are more likely to refrain."