Data on 24,000 patients was uploaded to the cloud. Emory Healthcare (EHC) posted a prominent link on their website with the incident details:
- A former EHC physician, now working at the University of Arizona (UA), uploaded PHI to a University of Arizona College of Medicine Microsoft Office 365 OneDrive account. This action wasn’t authorized and EHC was unaware of the action.
- EHC received a list of the files on the OneDrive account on October 18. These files were about patients receiving radiology services from 2004 to 2014, and included data such as patient names, service dates, and treatment information. The data did not include details such as social security number, address, or financial information.
- The PHI may have been accessible to individuals that were set up with a specific type of UA e-mail account. EHC does not believe the information was viewed by anyone outside of EHC other than former physicians who now work for the UA, limited UA staff, and UA investigators.
- UA immediately removed the information from the OneDrive account.
- EHC reported the incident to the Department of Health and Human Services on December 15 after mailing notices to the affected patients. The mailing included recommendations about steps patients can take to protect themselves.
EHC said they are working to enhance “patient care team education programs to help prevent something like this from happening in the future.”
Top Posts in Insider Threats
- The Decline of the Rogue Employee: Utilizing Behavioral Trends
- Insider Threat Statistics: 8 Convincing Findings [Infographic]
- 4 Different Types of Insider Attacks [Infographic]
- Where Hackers Roam: Enter The Darknet
In this incident, it appears that unauthorized access to the PHI was limited. When it comes to file transfers, the news could have been much worse.
File transfers – whether via email, USB device, or cloud upload – is an activity that should be closely monitored when the files being transferred include sensitive data such as PHI or financial information. Cloud storage can be an enticing alternative for insiders looking to access information from multiple devices, but an organization must weigh productivity needs against security needs.
Security awareness education can help to reinforce data access and storage guidelines, but organizations should diligently listen for file transfers. Using employee monitoring software to watch, alert, and block file transfers can help keep protected data from going astray.