Today Naples News in Florida reported:

"We often hear of Medicare fraud. We shake our head at the millions and even billions of dollars lost to bureaucratic ineptitude and theft. Then a case hits home.  A former employee of Cleveland Clinic Hospital in North Naples and a relative who worked for a Naples-based health-insurance claims company have been arrested and charged with stealing records of more than 1,100 patients.  The Cleveland Clinic receptionist had been on the job for over a year, and the theft took place in June, authorities say. Her suspicious activity was noticed by a co-worker, who alerted superiors. The arrests were made almost immediately.  Authorities so far decline to spell out exactly what the suspects and maybe others planned to do with the data, but suffice it to say that someone other than those who provided care were to get money.  The hopeful rays of light in this story are that the arrests were made so quickly and that a co-worker was empowered to come forward. A harsh light, though, is cast on the inability by law of victimized patients to sue for problems that could result from financial and other personal data falling into the wrong hands. Medical institutions can be entrusted with confidentiality, then be unaccountable for safe-keeping?  It is important for all the details on this case to come to light. The local health-care industry and its consumers stand to learn a great deal."

Some notes about the situation:

• A coworker was alert and told management about the suspicious conduct.  Thank goodness!  This is something more companies need to encourage their personnel to do.  The amount of crime and fraud committed by trusted insiders is significant, and making all personnel aware of what to do if they see someone doing something that puts the business or health of others at risk is important to not only help catch bad things happening, but also to dissuade those considering crime from doing it if they know it is likely their coworkers will report them.
• It seems criminal charges could and should be filed in accordance with HIPAA against the former employee and the accomplices.  Hopefully they will be.
• I don't agree with the statement that the victims cannot sue.  I'm not a lawyer, but it seems there are certainly many ways in which civil actions could be brought against the criminals by the victims.
• It is likely they could also bring some kind of action against the hospital.  However, any convictions would seem unlikely given the reality of the insider threat to do bad things.  From the hospital's point of view, it is important that they have a comprehensive information security and privacy program in place and are enforcing their policies.  If they have documentation to validate they did everything possible to safeguard information and a trusted employee with authorized access to PHI still committed the theft, then it would be very hard to find the hospital guilty of wrongdoing.  The insider threat is real, and the best way to protect against it in addition to a sound information security program is to raise the awareness of personnel so that you have many eyes and ears noticing and reporting if bad things are going on...not just the folks in the info sec area.

Technorati Tags
information security
IT compliance
policies and procedures
corporate governance
HIPAA
patient privacy
awareness and training
privacy