A couple more cases of insider breaches were reported in July, suggesting HIPAA compliance is still an issue for many organizations.

White Blossom Care Center in San Jose, CA notified approximately 800 residents that some of their protected health information (PHI) was accessed by a former employee.  White Blossom retained a third party to aid in the investigation of the incident.  They believe that the employee accessed the information while employed there.

Currently, it is unclear exactly how this breach was discovered and when the access occurred.

White Blossom does not believe bank account numbers or other financial information was included in the patient information the employee obtained.  Despite this belief, White Blossom is offering a year of credit monitoring and up to $25,000 in identity theft insurance if the information is used in this manner.

The second case involves a former Bupa employee who posted up to 1 million records for sale on the dark web.  Bupa is a private insurance company.  This employee was selling the information while employed at Bupa.  As soon as the breach was reported, the employee was fired.

While it is unlikely that organizations will be able to eliminate these types of insider breaches, there are certain controls that can be implemented to help protect patient information.  Many of the controls are required for HIPAA compliance.  Such controls might include reducing access to PHI unless necessary and implementing audit logs to see who is accessing information.  There may be more human effort in some of these methods, but that time will be well spent if an organization does not need to make a breach report.

Additionally, background checks should be conducted often, not just when an employee is vetted for hiring.  This will give an organization information on employees that might reveal a reason to be concerned.

Join HIPAAgps today to learn about other methods of protecting health information.