Virginia’s Riverside Health System has acknowledged that a former employee of the Riverside-owned Cancer Specialists of Tidewater has been charged with improperly accessing patients’ credit card information and Social Security numbers (h/t PHIprivacy.net).
T’sha Riddick, 33, worked for almost two years at one of the company’s clinics, according to the Virginian-Pilot — all patients who visited the practice in the time since Riddick’s hiring in June 2012, a total of more than 2,000 people, are potentially affected.
Riverside spokesman Peter Glagola told the newspaper that Riddick, who had a previous felony conviction for credit card fraud, had never been given a background check.
“Keeping patient information protected is vital at Riverside,” Glagola said in a statement. “We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”
Last month, the Las Vegas-based Western Regional Center for Brain & Spine Surgery (WRCBSS) acknowledged a similar breach.
In May 2014, WRCBSS was notified by law enforcement that a former employee who had worked at the center in 2011 and 2012 was under investigation for the theft of as many as 12,000 patients’ personal health information, including names, Social Security numbers, birthdates, home addresses and billing account numbers (h/t SC Magazine).
“Presently, we are unable to identify the specific patients whose personal health information was actually stolen nor do we know which of those patients whose information was stolen was also used for fraudulent activities,” WRCBSS stated in the notification letter. “We are therefore notifying all our patients whose personal health information was in our billing system at the time of the breach.”
According to the results of a recent IS Decisions survey of 1,000 desk workers in the U.S. and 1,000 in the U.K., fully 36 percent of respondents said they had access to a former employer’s systems or data after having left the organization. Among those respondents, 9 percent chose to make use of that data.
The risks of that type of access are being featured prominently in the news this week, as CNN reports that a new leaker has begun exposing U.S. national security documents following Edward Snowden’s surveillance disclosures.
Eric Chiu, president and co-founder of HyTrust, said by email that insider threats can cause a unique amount of damage to any organization. “The issue is that once an attacker or malicious employee (or frankly, someone that doesn’t have the same philosophical beliefs) is on the network, it is impossible to tell a good guy from a bad guy; that person can take their time to siphon off large amounts of data without being detected,” he said.
In response, Chiu said, organizations urgently need to secure their data against insider threats, particularly customer information and intellectual property. “This requires that organizations take an ‘inside-out’ model to security and assume the bad guy is already on the network,” he said. “Access controls including the two-man rule, role-based monitoring and data encryption are key requirements to make this happen, especially in highly concentrated environments like virtualization and cloud.”
For more advice on how to defend against insider threats, see this eSecurity Planet article.