According to a report from Healthcare Info Security, Riverside Health System, a healthcare provider that operates several hospitals and other care facilities in Virginia, is notifying 2,000 cancer patients about a breach that involves alleged identity theft by a medical assistant who worked at Riverside’s Cancer Specialists of Tidewater oncology practice. The Chesapeake Police Department notified Riverside on June 6 that it was investigating several ID theft cases, and all the victims were patients at the cancer practice. To date, 13 people have reported ID theft to the police. The medical assistant, who has since been fired by Riverside, was authorized to access the data of patients treated at the cancer care practice.
Potential Steps to Prevent Inappropriate Access
The most obvious way to reduce the risk of inappropriate access is to restrict access to records based on an individual’s role and the sensitivity of the data. Additional steps include:
- Conducting background checks for employees that interact with patient information as part of their job responsibilities.
- Implementing data loss prevention solutions to restrict the flow of ePHI in unauthorized ways, such as to USB storage devices and e-mail.
- Communicating and enforcing privacy and security policies.
Kirk Nahra, a partner at Wash. D.C. law firm Wiley Rein LLP, shares ways to communicate and enforce such policies. “In the best practices area, that’s a mixture of audits, training, investigations, responding to complaints and sanction policies-making to ensure employees know [inappropriate access] will not be tolerated, even if it’s for an innocuous reason like checking on [the records of] Aunt Sally.”