Thursday, April 22, 2010

Former employee uses current employees credentials for access - amazing

Caught this post on the wire “Data breached? Culprit could be a former employee”:
Griffin Hospital in Derby, Conn., announced in March that it experienced an apparent data breach allegedly caused when a previously-affiliated radiologist gained access to the hospital's picture archiving and communication system.

The hospital said the apparent breach came to its attention when it was contacted by several patients who claimed the radiologist called them to offer services at a competing hospital. Access to the hospital's PACS had been revoked when the radiologist's affiliation with the hospital ended, but the doctor allegedly used the log-in credentials of current Griffin employees to access the records of nearly 1,000 patients.
I guess I am somewhat amazed by the fact the doctor used the log-in credentials of current employees to logon. Sounds like he learned a lesson from the dude at Societe Generale in France. This is exactly what regulations like HIPAA are supposed to fix...
Passage of the Health Information Technology for Economic and Clinical Health Act in 2009 put more teeth into HIPAA laws.

Not only can health care organizations now be on the hook for fines up to $1.5 million if data are breached, but they also must notify every affected patient, the Dept. of Health and Human Services and, in some cases, the media.

No comments: