Cybercrime costs an estimated $575 billion per year and healthcare continues to be the most targeted sector in the world. News headlines are rife with data leaks and data breach incidents. These breaches lead to the theft of personal, financial, and health information from users who are often only notified of the breach well after it occurred, and the damage has already been done. Insider threats can be loosely categorized as malicious or negligent, based on their intent (or lack thereof). This case study focuses on one such malicious incident where a ring of hospital employees was indicted for allegedly selling patient credit card and medical information online. The authors provide practitioners with a deeper understanding of how PII is misused, motivations for its theft, and recommendations to avoid such incidents in their own organizations.
TopBackground
Cybercrime costs an estimated $575 billion per year and healthcare continues to be the most targeted sector in the world (Abulencia, 2021). News headlines are rife with data leak and data breach incidents. These breaches lead to the theft of personal, financial, and health information from users who are often only notified of the breach well after it occurred, and the damage has already been done. When the perpetrators are an organization’s employees, the impact of lowered morale and trust levels among employees should also be factored into costs (Burrell et al., 2021).
Personal health information (PHI) breaches, an impermissible use or disclosure of protected personal health information, are extremely consequential for healthcare organizations, their patients, and their customers (Pool et al., 2019). In 2022, 588 breaches were reported to US Health and Human Services, affecting 44.7 million patients in total (Office of Information Security, 2023). Perhaps due to the ease of accessibility to patient data, the number of people required to handle each patient’s data, or due to relaxed cybersecurity policies, but in comparison to other industries, healthcare organizations are more vulnerable to data breaches (Gordon, 2017). Unauthorized access, theft, and hacking/IT incidents accounted for 98% of 2022 US healthcare data breaches (Office of Information Security, 2023).
Examples of such incidents include a 2019 breach in which 23,000 patient records at Critical Care Pulmonary & Sleep Associates were compromised when a hacker gained access to an employee’s email account and sent out phishing emails to other employees, eventually exposing patient data (Davis, 2019). In 2021, a pharmaceutical company employee was charged with uploading more than 12,000 files containing trade secrets related to its COVID-19 vaccine, to a rival company using a corporate laptop over a three-day window (Office of Information Security, 2023). Also in 2021, a San Diego hospital employee was charged with stealing the identities of dying patients to file fraudulent COVID benefit claims (Brewster, 2021).
Insider threats figure prominently in healthcare data breaches, much more than other industries (Verizon, 2022). An insider threat is potentially a person within a healthcare organization or a contractor who has access to assets or inside information concerning the organization’s security practices, data, and computer systems (Office of Information Security, 2023). Insider threats can be loosely categorized as malicious or negligent, based on their intent [or lack thereof] (Office Information Security, 2021).
This case study centers on one such malicious incident where a ring of hospital employees was indicted for allegedly selling patient credit card and medical information online. The study aims to provide insights that can assist organizations in preventing and mitigating similar incidents. To protect the privacy of the case study subject, they will hereafter be referred to as Hospital X.