A recent data breach at Johns Hopkins Hospital was announced that resulted from a single employee working in patient registration who accessed more than 10,000 pieces of personally identifying information. Reports of fraud started back in January and have been traced to records at Johns Hopkins.
The employee in question has been linked to a larger driver’s license fraud scheme in nearby Virginia. These types of incidents have been appearing more and more; while we protect against attacks coming across the internet with firewalls, and malware threats with endpoint protection, it’s getting easier to go after the valuable personally identifiable information directly, by planting an employee inside the organization or simply coercing an employee already in the system with a pay-off, especially low-paid administrative staff.
The employee in question is expected to be indicted, but this still begs some questions: who has access to your businesses sensitive data and why? While administrative staff need to have appropriate access rights in order to fulfill their job functions, access to all patient records containing personally identifiable information is likely excessive. Of note, this is not the first incident at Johns Hopkins Hospital as there were reports in 2007 of a contractor stealing backup tapes with over 135,000 patient and employee records. In neither case was the data encrypted.
The hospital, in an attempt to put the public at ease, has stressed that this was not part of a hacking incident, but simply theft by one of their own employees. Whew, well that’s a relief. While we have become smarter at securing the borders of our businesses we cannot forget the potential threat that comes from within; we must ensure that only those who need access to the data have it, and that the access is logged, and the rest is fully-encrypted.