Identity Theft and the Mythical Evil Hacker Across the World.
When we think about identity theft, maybe we tend to think about evil hackers in foreign countries trying to gain access to our data.
Or maybe we think about cerebral kids with nothing better to do than to try and gain access to confidential databases for the sheer love of doing it.
We may also picture paper medical records being thrown into the trash and being retrieved by someone who uses them to take out credit cards, loans or apply for benefits.
Sometimes the last thing we think of is malicious data theft by employees we hire to serve our patients.
Identity Theft Under Our Noses!
This recently occurred at a clinic serving low income patients in Palm Beach County, Florida. Here, the individual had been collecting the data to sell as part of a fraud scheme. Fortunately, a delivery truck driver who grew suspicious of the woman who ostensibly wanted to spend $36.00 to ship a card overnight. The driver opened the package and discovered lists with clients’ information. Information included client’s social security numbers. The employee was fired and has been arrested on several counts of fraud.
Additionally, in Texas there have been several reports of similar identity thefts.
A former Texas Department of Health and Human Service worker in Mount Pleasant assumed the identity of clients receiving immunizations and other services at the Texas Department of Health and Human Services. She then used this client information and applied for credit cards online and – once approved – made as many purchases as the credit card would allow. The former employee was arrested and several hundreds of patient names and social security numbers were retrieved from her residence.
The former employee has been charged with Fraudulent Use or Possession of Identifying information, a 2nd Degree Felony, and Credit Card Abuse, a State Jail Felony.
What Can Be Done to Prevent Identity Theft By Trusted Employees?
Unfortunately, it is impossible to filter all bad apples out of the barrel of potential job applicants. Perhaps employees fall on hard times and feel that stealing confidential information is a quick way out of financial difficulty. They may not seek employment involving confidential data with the intent to steal it. They may also think there is a low likelihood they will be caught. This is where there logic falls apart.
Most employers storing and utilizing confidential data electronically are deploying tracking software. This allows them to see what employees are accessing what data and when it’s being accessed. Assuming that the employer has someone assigned to check those logs, it can be easy to detect unauthorized access-thereby decreasing the likelihood that improperly accessed patient data can be used for identity theft purposes. If you have not deployed tracking software, this should be a top priority to accomplish in 2013.
Next, employers should be consistently training on HIPAA Privacy and Secutiy Policies. This training should contain ample “scare tactics” of what happens to people who violate the policies. I’ve included two examples in this post. Jobs are lost, arrests are made, lives are ruined.
It is gratifying to see that both employers in the above example appear to have acted appropriately in terminating the employees, communicating with authorities and potentially affected patients and reflecting transparently on what other measures they are taking to assure these incidents do not occur again.
If you are cultivating a culture of compliance in your organization, it goes a long way towards making sure that identity thieves do not feel welcomed as employees.