MU Healthcare Suffers A Data Breach Via An Insider

MU Healthcare has posted a data breach notification that got my attention today:

Upon learning on March 20, 2023, that a workforce member may have been accessing health information in the electronic medical record (EMR) inappropriately, we immediately began an investigation and suspended the workforce member’s access to the EMR.

The subsequent investigation revealed the workforce member used the electronic medical record (EMR) to access 736 medical records between July 2021 and March 2023 potentially without a verified Health Insurance Portability and Accountability Act (HIPAA) purpose.

The accesses may have contained patient information including name, date of birth, medical record number, and limited treatment and/or clinical information, such as diagnostic and/or procedure information.

To date, there is no indication that the information was misused or re-disclosed. However, MU Health Care began mailing notification letters to patients whose information may have been inappropriately accessed, alerting them to the incident and advising them to be vigilant in the event of any suspicious activity involving their accounts.

Ani Chaudhuri, CEO, Dasera had this comment:

The news about the data breach at MU Health Care underscores a widespread challenge within the industry: keeping sensitive patient data secure. While it’s distressing to see another breach, especially one involving an insider threat, it’s important to view this situation not just as an isolated incident, but as a symptom of a larger, systemic issue in data security.

The breach in question involved an employee accessing over 700 patient records without verified HIPAA purpose. It’s easy to point fingers at a single wrongdoer, but such incidents also highlight the need for more robust, automated security controls that can detect and prevent unauthorized access in real time.

At the heart of this is a two-pronged challenge: ensuring that only authorized personnel have access to sensitive patient data, and monitoring that this access is being used appropriately. However, this isn’t as simple as it may sound. Today’s healthcare environment is complex and constantly evolving, with thousands of staff needing various levels of access to patient data. Determining what constitutes “appropriate” access in such a fluid context is a nontrivial task, one that demands a solution more sophisticated than manual reviews or basic access controls.

MU Health Care’s decision to utilize workforce education to train for appropriate access to patient information is commendable, and it’s a crucial step towards cultivating a security-first mindset among staff. However, training alone may not be enough to prevent all instances of inappropriate data access, as evidenced by the recent breach.

Therefore, in tandem with training initiatives, there is a pressing need for comprehensive and automated data governance and security solutions. These technologies not only help detect inappropriate data access and use, but they also work proactively to establish an environment where such breaches are much less likely to occur.

I’m confident that MU Health Care, like many other organizations that have unfortunately found themselves in a similar situation, will not only learn from this incident but will also work towards implementing these enhanced data security measures. Data breaches can be a wake-up call, a chance to reassess and improve our data protection strategies – because at the end of the day, protecting patient data is not just about maintaining trust and compliance; it’s about safeguarding the very essence of healthcare itself.

This situation is not good at all. An insider who leaks data is in some ways worse than getting pwned by hackers. Organizations need to ensure to the best of their ability that insiders are not going to be a bigger threat than hackers trying to break in.

Leave a Reply

%d bloggers like this: