Sometimes institutions of care can harbor ill-intentioned characters

Hospitals and other healthcare facilities have a unique relationship with the people they serve. Patients who visit with doctors, nurses, and other staff are often giving up significant volumes of sensitive data. Because of this, care providers have a significant obligation to handle that information with responsibility, something that is underpinned in federal U.S. law by the HIPAA Act.

Unfortunately, despite best efforts, healthcare operators are not invulnerable to bad actors. Over the years there have been many instances of staff inappropriately accessing patient records. So what are the threats hospitals should watch for, and what can they do if things go wrong?

A Years-long Privacy Breach

In March 2020, Hawaii Pacific Health put out a press release, explaining it had terminated an unnamed Straub Medical Center employee for inappropriately reviewing patient files numerous times over a five-year period. 

The healthcare provider did not disclose exactly what had been viewed, or whether the data had been illicitly downloaded. Hawaii Pacific Health did however confirm that information accessed covered multiple facilities and included patients’ names and addresses, as well as details of health plans and medical procedures.

A report on the matter says the worker looked at records for over 3,700 patients, though Hawaii Pacific Health concluded the staffer’s motivation was more likely curiosity than malicious intent. The organization noted it would make “necessary adjustments” so as to prevent a repeat of the situation.

Multiple Staff Violations

In May 2020, a mother filed a lawsuit against Ann & Robert H. Lurie Children’s Hospital of Chicago after she learned confidential files relating to her daughter were inappropriately viewed.

The hospital had contacted the anonymous mother – recognized in court filings only as Jane Doe – when it learned a staff member at the facility had seemingly reviewed records for the child many times over a 12-month period. Hospital administrators said they had fired an unidentified nursing assistant for accessing the files, but suggested the individual had not otherwise misused the data. Doe’s lawsuit however claims that was not the end of the story.

In her suit against the hospital, Doe said her daughter’s records were opened by a different employee across a separate timeframe, raising concerns that there was indeed some level of nefarious activity at the facility. 

Lurie Children’s Hospital acknowledged two nursing assistants had breached its patient privacy rules, but again stated it had “no reason to suspect any misuse of patient information.” 

Regardless of the intent of its former employees, Lurie Children’s Hospital settled the lawsuit in November 2022, agreeing it would improve its data protection measures and staff training.

iThreat’s SignalAlert Watches for Confidentiality Breaches

There will always be legitimate reasons for staff to access sensitive files, and indeed, the unwritten mantra of the healthcare system is to do no harm. But as the cases above illustrate, violations of the HIPPA Act can and do happen. And while in both instances the healthcare providers expressed doubt that the staffers had malicious objectives, the fact remains that in an environment where such confidential information is gathered, hoping actors are more curious than bad is not a great strategy for keeping patients safe.

iThreat’s SignalAlert is the information monitoring service built to watch for malicious activities. Established in 1997, iThreat’s service has helped hundreds of clients to scour the web, watching for key signals about sensitive data that should not be out in the world.

From news reports to dark web chat rooms, SignalAlert’s ability to detect conversations wherever they’re happening means you can quickly put a stop to personal information spreading any further than it’s supposed to. And with iThreat’s experience in investigating such breaches, you can be sure of the very best help in getting to the bottom of a breach, as well as support in scrubbing that data from the internet.

iThreat understands how vital the trust is between a patient and their healthcare provider. We are committed to supporting healthcare institutions, helping them remedy bad situations before they can get worse.

Protect your patients with iThreat’s SignalAlert.