Former hospital employees are a hidden threat to patients’ privacy, as they frequently walk away from their workplaces with the logins and passwords that access hospital electronic health record systems.

Government enforcers are putting hospitals on notice that it has to stop. Hospitals have been hit with nearly $10 million in penalties for data breaches engineered by former employees over the last four years that exposed more than 120,000 patient records to potential fraud and abuse.

Hospitals need to review password policies, be on alert for employees that share logins and passwords, and pay attention to how they handle terminated employees, compliance attorneys say.

The Department of Health and Human Services Office for Civil Rights (OCR) previously didn’t call out hospitals for data breaches involving former employees, although the office has been a consistent in penalizing patients’ data exposure for other reasons.

In 2014, the OCR issued its first enforcement action against a hospital based on former employees’ access to patient data. The most recent action was in December, when Pagosa Springs (Colo.) Medical Center settled for $111,000 because an ex-employee retained access to the hospital’s computer network for nearly two months and was able to access 557 patient records.

The exposure of patient records is a violation of health privacy law, which can mean steep penalties if lots of them are exposed. For example, Florida-based Memorial Healthcare System settled for $5.5 million after a former employee maintained access to 80,000 patient records.

Patients didn’t report fraud or abuse in either of these cases, but the incidents show the vulnerability of electronic health data when hospitals are behind the times on data security.

The theft of patient data by former employees accounted for 102 of the 603 internal health-care data breaches reported to the OCR between 2009 and 2017, placing it among the top three causes, according to a Journal of the American Medical Association study published in November.

Breaches are also caused by outside hackers who penetrate a hospital’s computer system or employees who inadvertently disclose patient data through mailing mistakes.

Shared Passwords

In some cases, hospitals aren’t following their own policies on deactivating logins and passwords for former employees, while in other situations they allow several employees to share a common login and password.

About three quarters of surveyed health-care professionals (73 percent) reported using a colleague’s login and password to access patient records, according to a 2017 study published in Healthcare Informatics Research.

The findings were echoed in December 2018 research from the Nashville-based Clearwater CyberIntelligence Institute that identified user authentication deficiencies as one of the top three security vulnerabilities facing hospitals and health systems. Deficiencies included everything from generic logins and passwords to instances of passwords being posted on computer monitors.

Clearwater works with health-care companies on compliance and security issues and based its findings on an analysis of millions of records from hospitals.

Terminations

The threat to a health-care organization goes up significantly when an employee is terminated. Human resources and IT departments need to cut system access privileges immediately for workers who leave the organization, Iliana Peters, an attorney with Polsinelli PC in Washington, told Bloomberg Law. Peters is a former OCR deputy director.

Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg Law, offered a particularly harrowing account.

“One of our clients had a very nasty experience along these lines. The former employee left on bad terms, and left himself a back door to steal a huge number of health records and Social Security numbers,” Zick said. The former employee then went on to blackmail his old company.

“This is a clear demonstration about why sharing logins and passwords is a terrible idea,” he said.

A formal policy on password management can deter ex-employees from accessing patient data. For example, Weill Cornell Medicine in New York requires all employees to have a unique user login and password and bans any password sharing, while Ascension Columbia-St. Mary’s Hospital in Milwaukee, requires that all passwords be changed every 90 days.

“The security risk is especially heightened in cases of acrimonious terminations where the former employee may have an ax to grind with his or her employer,” Jami Vibbert, a privacy attorney with Venable LLP in New York, told Bloomberg Law.

Hospitals that don’t protect patient data face more than just fines. Memorial Healthcare’s $5.5 million settlement included a three-year corrective action plan that requires it to undergo third-party risk assessments and report on a regular basis to the OCR.

Other incidences of former employee data breaches include a $3.5 million agreement in 2015 with Triple-S Management and a December 2017 breach at medical transcription company Nuance Communications that exposed 45,000 records.