I have said it time and time again…HIPAA security starts with employee education. You can lock your systems down, run scans, use antivirus, do regular patching etc. All it takes is for an employee to click on something, or upload something and boom…you have a breach. The latest victim is Blue Cross and Blue Shield. An employee uploaded a file containing member information to a public facing website. The worst part is that this happened in April, and was not discovered until July. It exposed over 16,000 patients. It is only 1% of its members, but it happened. Did they provide employee education? Did this employee simply upload the wrong file, or did they not understand what they were doing? Was it malicious?
The data was out there for 3 months and they are unable to determine if it was accessed. The breach included names, date of birth, diagnosis codes, provider details and procedure codes. All the information needed to process claims. No social security numbers or financial data such as credit cards were exposed. This is important because that is the information that could be used in medical identity fraud.
This breach will serve as a stark reminder for practices to have proper access controls, network monitoring, policies and procedures and employee education in place. Bi annual training, and training upon hiring and firing will help eliminate some of these unnecessary breaches.