The health care sector continues to be a sieve when it comes to protecting patients' Personally Identifiable Information (PII) and Protected Health Information (PHI). Often, the data breach involving PII or PHI is discovered by a third party, which leaves the doctor, dentist, hospital or pharmacy dumped into sleuth mode.
This was not the case with Canadian medical provider, William Osler Health Systems (Osler). According to Canadian news outlet 680news, in January Osler launched an internal investigation into patient information being used to illicitly acquire a prescription narcotic, Percocet. Osler’s internal narcotic stores of Percocet was inexplicably being depleted. What is unclear is if local pharmacies also reported an influx in fulfilling prescriptions for Percocet, 680news reported. Osler has not revealed the number of individuals affected. A call for clarification to Osler was not returned.
CTV-News reported that the Osler investigation pointed to one of its registered nurses, Catharina Demme, who Osler has confirmed had accessed the PHI and PII of patients. Various media reports cite individuals who were affected despite not using Osler’s services in several years. Therefore, it is logical to conclude the information being accessed by Demme was both current and historical PII/PHI records.
Peel Police’s late-April press release states, “Catharina Demme gained access to patient names from a list on a computer database in order to access narcotics for non-hospital related use. Demme only had limited access to patient information.” Demme, who was arrested on March 30, has been charged with “Breach of Trust and Theft under $5,000.” Peel Regional Police (Canada) Constable Mark Fischer, commented to CBC, “She (Demme) was taking a quantity of drugs, in this incident mostly Percocet, using different names to get this quantity of drugs.”
Trusted insider breaks trust
Demme, a registered nurse, had access to the hospital patient record systems at Osler. Osler publicly declares its has logging, auditing and monitoring policies and procedures in place, including communication of these controls to all “authorized users.”
And there is the rub. Demme had authorized access to the information. It was her alleged pilfering the Percocet from the dispensary that apparently was the impetus for the internal investigation within Osler. It does not appear to have been her sifting through patient files looking for the ones who had Percocet prescriptions.
One of the most difficult tasks for protection of PII/PHI for health care providers is the electronic audit process. The audit trail will show patient data being accessed by an authorized user. Does the audit trail correlate to an actual need to know by the authorized user? This is the more difficult question.
That is to say, is the patient whose records are being accessed presenting themselves for treatment or consult?
The question for health care information technology teams is would your company know if the patient data being accessed is for a patient who is currently getting care.
Are the various physical touch points with patients (telephone, consults, in/out patient appointments, etc.) within the medical engagement associated with authorized user access to medical records.
Collating and processing such disparate data will provide clarity, not only within the health care sector but also in the protection of any sensitive data.
The key can be found within the answer to the question: Does your data protection technologies distinguish the difference between “need to know” and “curiosity or malevolent access?”
While no reference has been made to a violation of Canada’s Personal Health Information Protection Act (PHIPA), available information certainly points in this direction. According to CTV-News, Osler is taking steps to preclude a recurrence of this "type of event."
Head to Facebook to add your comment on this situation.