Insider Threat & HIPAA: Computers Containing “Thousands” of Patient Files Stolen

10 computers containing personal information on thousands of patients from a Hospital Corporation of America (HCA) regional office, and now the FBI is investigating.  The report did not tell when the theft occurred, though.

"The computers were stolen from a secure building, and the thieves slipped by video surveillance. HCA is one of the nation’s leading providers of health care services. The company’s 200 plus hospitals and surgical centers serve thousands of patients in the US and around the world. The company is warning patients, and the FBI is now involved.

‚ÄúFor now investigators aren’t saying which regional office was targeted by thieves, but the the stolen computers contain sensitive information — including social security numbers and thousands of files on Medicare and Medicaid patients treated at HCA hospitals.‚Äù

The theft affects patients on Medicare or Medicaid who have failed to pay their co-pay or deductible, and those who were seen in an HCA hospital in Colorado, Kansas, Louisiana, Mississippi, Oklahoma, Oregon, Texas or Washington between 1996 and 2006. HCA did not believe any of the files stolen belonged to patients in Tennessee.

The theft has sent shockwaves through the system of the Nashville-based company raising concerns about security. Now a special call center has been set up to answer questions for concerned patients. Investigators thought the thieves stole the computer hardware to sell, and had no interest in using the information for identity theft.

So far there have been no leads on the thieves, and no arrests. The original location of the computers has not been disclosed, and will not be while the FBI investigates. The thieves got past some elaborate security, including a keypad lock and a password for access, making it possible that it was an inside job. With this in mind, HCA has taken steps to further beef up security."

A few thoughts about this incident…

  • Even though patient information was stolen from a healthcare provider (a HIPAA defined "covered entity") it is unlikely there will be any HIPAA violations declared.  They had what sounds like reasonable physical security in place.
  • From the report it certainly does sound very likely it was an inside job…considering video surveillance was bypassed, along with the keypad lock and password.  Organizations must always remember that some "trusted" insiders will turn out to be threats and possibly commit crime through their authorized capabilities.
  • It is good the hospital contacted all the patients involved, in addition to setting up a special call center to answer questions.
  • It is odd/interesting that the investigators, without (supposedly) knowing who the thieves were, would say they "had no interesting in using the information for identity theft."  How could such a thing be known?  They must have much more information about this incident/theft than was reported.  No one can know the intent of an unknown person or persons.

Technorati Tags

Leave a Reply