Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached

How frustrating for everyone: St. Agnes Hospital in Baltimore learned that 40 of its physicians had become victims of ID theft. Hapless victims had their names and Social Security numbers used to create wireless telephone accounts that they knew nothing about until they started receiving overdue notices from creditors.

But despite its best efforts to identify any internal source of the breach, St. Agnes Hospital could not find any confirmation of a breach. In a letter to those affected, the text of which was submitted to the state last month, they write:

Once the reports were received, we reviewed all of the points of access and storage for this type of information in Saint Agnes systems. The only system that maintained the same information for all physicians making reports was the credentialing system. We conducted a careful access review and interviews and failed to detect unauthorized access, access after normal business hours, or any other suspicious activity in the system. We were unable to determine that there was a breach of any of our systems that allowed disclosure of the physicians’ personal data.

So what do you do when you suspect your organization has suffered a breach and you think you’ve narrowed it down to one part of your system, but you can’t find out how or when it happened? In this case, the hospital notified physicians that despite its inability to confirm any breach, given the seriousness of the problem, it intended to:

Review the list of users with access to sensitive personal data and minimize access where possible to only those who have a business need to access or review the information;

Refresh HIPAA privacy education in those departments routinely using physician information; and,

Investigate disguising or eliminating social security numbers in data systems where they are stored.

That’s nice, but shouldn’t they have been doing all of that already? And how about running more extensive criminal background checks on employees who could be simply writing down names and SSNs as they access data for their routine job duties? We’ve seen too many insider breaches in hospitals. Usually it’s patient data being sold, but why not physicians, too?