HIPAA and Insider Threat Example: Heathcare Worker Continues to Access Employee and Patient Data After Quitting

Recently the Bellingham Herald reported a former employee of Madrona Medical Group "was charged with illegally downloading patient files onto his personal laptop computer.  Madrona officials don’t believe the files were copied or used for identity theft, but they sent letters this week to more than 6,000 patients anyway, asking them to take steps to make sure no one uses the information illegally.  The records include patients’ names, addresses, Social Security numbers and dates of birth."

The medical provider notified the 6,000 patients wtih letters and established a phone number those concerned could called with questions.

"Former Madrona Medical Group employee Timothy R. Kiel was arrested June 8 and faces trial Sept. 19 on first- and second-degree computer trespass charges. Whatcom County prosecutors say Kiel downloaded onto his personal computer patient records, proprietary software, licensing keys and other data Dec. 17, 2005.  Kiel resigned from the company Dec. 20, prosecutors say, but continued to use his laptop to connect to Madrona’s servers more than 50 times between Dec. 26, 2005, and Jan. 15, 2006.  For example, prosecutors say, Kiel on Jan. 13 used a stolen vendor account, his laptop and a high-speed Internet connection at his Lynden home to connect to Madrona’s computer system. He deleted backup files, e-mail files belonging to Madrona’s human resources director, and server log files to cover his tracks, prosecutors allege."

The amount of time elapsed from when the former employee started accessing the personal files illegally to when the patients were notified…close to 8 months…is incredibly long.  Especially considering there were "more than 50 times" he accessed the provider’s computer systems.  The amount of times personal information could have been copied, distributed, misused, and otherwise used with malicious intent, could be incredibly large.

"Though the security breach was discovered in December, Madrona officials didn’t know exactly which files had been compromised until they could review the police report that arrived in mid-July, said Madrona spokesman Mark Johnson.  Madrona officials are now more closely monitoring the few employees who have access to so many records, like Kiel did, Johnson said.  The practice already has "very sophisticated" computer security systems, Laine said.  "What we cannot secure ourselves against, unfortunately, are other people’s actions," he said. "Illegal actions, in particular.""

So, it appears that law enforcement took all those months to create a police report?  What are the reasons why the police reports for compromised personal information always seem to take an inordinately large amount of time?  What activities are actually going on?  All the while, the personal information could be being used for so many different fraudulent activities, all while the victims have had no notification or awareness at all that their personal information was compromised, and fraud could be occurring.  Doesn’t it seem time law enforcement establish some reasonable guidelines for allowing individuals to be notified much more quickly?  Does there need to be a clause in a federal breach notification law covering this?  It seems there should not need to be a law to do what is right to protect victims in the most timely manner possible, but unfortunately it seems without such laws victims are allowed to potentially be vicitimized for lengthening periods of time often for flimsy reasons for notification delays because of matters related to the investigation.

Donnie Werner wrote about this last week; here are the interesting follow-up questions he posed to the Madrona Medical Group and their replies:

"1. What is the patient data loss probability?
Apparently Mr Kiel either never intended nor did he utilize the patient data and the 6000 or so records appear to be ancillary files stemming from the main attack(s), according to forensics data.

2. What was the position held by Mr Kiel?
A manager in the company IT department with intimate knowledge of the internal network structure. In a statement to patients, Madrona had the following to say:

"We would like to emphasize that this employee had high security clearance while employed at Madrona Medical Group, due to the nature of the position within our organization.  This level of access is rare and limited to very few members of the staff here at Madrona Medical Group."

3. Were background checks and clearances run when Mr Kiel was hired?
Full standard background and security checks as required by a person with a sensitive position within the company.

4. Was there any warning signs of a possible "bad seed" at the company?
None that anyone noticed and he was considered a good employee and had great performance reviews.

5. What was the motive behind the attack?
Evidentially there was some issues with either the HR department or one of it staff members. While the exact specifics are not totally clear, Mr Johnson stated: "this individual  wanted to capture HR records from a fellow HR employee (for what exactly, who knows) and inadvertently captured certain patient records in the process. The HR info contained various types of data about a variety of subjects. It doesn’t appear, from on own data analysis or from the police data report, that this person did anything with the data other then view it for their own information"."

As the article points out, this is a very clear example of an insider threat that materialized into a data incident. 

Some questions that come to mind related to this incident:

  • Why weren’t procedures in place to completely remove remote access when an employee leaves the organization?  Even if the employee had "high security clearance" the procedures should ensure continued access can no longer occur immediately upon termination or, particularly in the case of a high security clearance upon notice of imminent termination.  In fact, such procedures are even more important for high security clearance employees.
  • What were the provider’s policies for employees using their personal computers for business purposes?  There are apparently ways in which they need to improve these practices.
  • Do the lack of such procedures, or absence of good procedures, substantiate a HIPAA violation?  It seems it very well could.  It is true that authorized, trusted insiders will sometimes do illegal activities by taking advantage of their access, and this is very hard to prevent.  However, effective procedures for termination of employees and removing all authorized access may have prevented such an incident.  This weakness in policies and procedures would be identified within a good risk analysis, such as is required by HIPAA, and the implementatioin of policies, procedures and technologies (as necessary) could have possibly prevented the incident.  Wouldn’t this seem to point to a lack of HIPAA compliance diligence on the part of the covered entity?  It will be interesting if any Washington State government agencies or groups pursue an investigation into this, or (better yet) if the Department of Health and Human Services (HHS) investigates.

Technorati Tags








This entry was posted on Saturday, August 19th, 2006 at 4:41 pm and is filed under Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply