Mayo Clinic fires worker for snooping in patient records
|
Date Reported:
9/9/10
Organization:
Mayo Clinic
Contractor/Consultant/Branch:
None
Location:
"all Mayo sites"
Victims:
Patients
Number Affected:
"about 1,700"
Types of Data:
"patients' medical and financial records"
Breach Description:
"ROCHESTER, Minn. - The Mayo Clinic has fired an employee for snooping through patients' medical and financial records."
Reference URL:
KTTC News
The Post-Bulletin
Twin Cities FOX News
Report Credit:
Jeff Hansel, The Post Bulletin
Response:
From the online sources cited above:
ROCHESTER, Minn. - The Mayo Clinic has fired an employee for snooping through patients' medical and financial records.
Mayo spokesman, Chris Gade, says the incident was discovered in mid-July, but, he says, the unauthorized access took place between 2006 and 2010.
[Evan] Wow. This person's snooping was a regular habit for four years! In most organizations, this type of activity is never identified and investigated. For Mayo, it's better late than never.
Gade did not identify the employee
The employee once worked in Rochester, but recently was working in the clinic's financial unit in Arizona.
1,200 people work in the financial business unit
[Evan] Let's say that just 1% of the people in this unit are not 100% trustworthy with the access they are given to sensitive information. That would amount to 12 people. I use these numbers only as an example and they are not based upon hard factual data. What are some of the things we can do to prevent bad activity (misuse) and/or detect it earlier?
Gade says the worker accessed information that was beyond the scope of the job.
the employee had access to all Mayo Clinic patient records at all Mayo sites
[Evan] This employee supposedly had been "snooping" for around four years and had access to patient records globally. I'm curious as to how Mayo came up with the number of 1,700. Do they have logs that are detailed enough to track access and go back to 2006? I suppose they could, but most organizations don't.
An internal investigation yielded no evidence of intent to use the information for fraudulent purposes.
"It's important to point out that every indication in the conversations that we've had in the review and investigation is that it was not being done for the purposes of fraudulent activity or identity theft," Gade said. "It simply was very inappropriate curiosity-viewing."
[Evan] This is one heckuva lot of "curiosity-viewing"! Did this employee do any real work?
Mayo Clinic has notified patients, whose records were accessed inappropriately.
The clinic is also providing a dedicated call center with resources available to address patients' concerns related to this incident.
The call center phone number is 1-.
Gade says Mayo is reviewing the circumstances surrounding the incident and will increase proactive monitoring of patient records.
Twila Brase, president of the Minnesota-based Citizens' Council on Health Care, a patient-advocacy group, said that even though no identity theft or fraud might have occurred, the situation showed that people with wide access to patient records have "a huge capacity to commit fraud."
[Evan] Very true.
"This is a bellwether event, because this shows what will happen when everybody's records are put in the National Health Information Network and they're all connected all over the country. So I think this is just a small sign of big things to come," Brase said.
[Evan] Very true again. Things will get much worse in my opinion.
Commentary:
Employee mistakes, misuse, and fraud are very hard to prevent and often times hard to detect. The management of security (or insecurity) surrounding employee behavior is one of the most challenging aspects of our job. I have plenty of tips, but I would like to hear some of yours. Email me or comment. Share what you do.
Interesting, but not directly related; according The Post Bulletin article:
This is the second high-profile termination at Mayo in the past month. In late August, the clinic announced that a radiologic technologist at Mayo in Jacksonville, Fla., had admitted injecting himself with pain medicine intended for patients, refilling the syringes with saline solution and shooting the resulting mix into patients' IV lines. In the process, the worker allegedly infected at least three patients with hepatitis C.
Past Breaches:
Unknown
Posts Atom 1.0
Comments