Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached

How frustrating for everyone: St. Agnes Hospital in Baltimore learned that 40 of its physicians had become victims of ID theft. Hapless victims had their names and Social Security numbers used to create wireless telephone accounts that they knew nothing about until they started receiving overdue notices from creditors.

But despite its best efforts to identify any internal source of the breach, St. Agnes Hospital could not  find any confirmation of a breach. In a letter to those affected, the text of which was submitted to the state last month, they write:

Once the reports were received, we reviewed all of the points of access and storage for this type of information in Saint Agnes systems. The only system that maintained the same information for all physicians making reports was the credentialing system. We conducted a careful access review and interviews and failed to detect unauthorized access, access after normal business hours, or any other suspicious activity in the system. We were unable to determine that there was a breach of any of our systems that allowed disclosure of the physicians’ personal data.

So what do you do when you suspect your organization has suffered a breach and you think you’ve narrowed it down to one part of your system, but you can’t find out how or when it happened? In this case, the hospital notified physicians that despite its inability to confirm any breach, given the seriousness of the problem, it intended to:

  • Review the list of users with access to sensitive personal data and minimize access where possible to only those who have a business need to access or review the information;
  • Refresh HIPAA privacy education in those departments routinely using physician information; and,
  • Investigate disguising or eliminating social security numbers in data systems where they are stored.

That’s nice, but shouldn’t they have been doing all of that already?  And how about running more extensive criminal background checks on employees who could be simply writing down names and SSNs as they access data for their routine job duties?  We’ve seen too many insider breaches in hospitals. Usually it’s patient data being sold, but why not physicians, too?

About the author: Dissent

4 comments to “Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached”

You can leave a reply or Trackback this post.
  1. Dave - September 24, 2012

    You might wish to change:

    “used to create wireless telephone accounts that they knew about”

    to read:

    “used to create wireless telephone accounts that they knew NOTHING about”

    • admin - September 24, 2012

      Oops – fixed that pre-caffeine omission. Thanks!

      • Dave - September 24, 2012

        😀 Welcome.

  2. IA Eng - September 25, 2012

    If it is not obvious how the “breach” happened, it could be alot of different avenues.
    1. Insider Threat
    2. Insider Threat at another institution that all affected are a member of (bank,ISP,phone,ecommerce, even hospital gift shop or a charity they give to).

    The possibilities are endless how this could have happened. They could see if there ARENT any people on the list, meaning, they may have come onboard AFTER the breach was leaked, and can narrow down the potential breach time frame.

    Without knowing all the information, if it was specifically just doctors, or a particular wing or department within the hospital, it could be a sort of revenge tactic where someone simply hand jammed the data on paper and then sold or gave the info away.

    All it takes is one luncheon at a compromised system that everyone (or most) attended, whether it was a lunch, going away party, happy hour or otherwise, and there ya have it.

    Sometimes its not the institutions fault, but they will still have to show face and eventually find out the cause of the leak.

    Again, it seems like this organization is doing its own form of forensics. Its best to bring in the professionals to look for the breach/compromise. It will prevent most potential cover ups and potential evidence remains intact vice being tainted and unusable in the court of law.

    Most hackers KNOW that the off duty hours is probably not the best time to try and gain access to a system. usage is low and network spikes are very evident in the evening hours. Many hackers will try to lay low and attempt “break ins” during the day when a user account and password combo is typically used, and if a few unsuccessful attempts are acceptible.

Comments are closed.