Snooping Into Health Records Often Unnoticed
Snooping into celebrity health records by workers at UCLA Medical Center sheds light on a largely hidden ailment facing employers: their own people peeking at confidential data.
Don Harris, president of consulting firm HR Privacy Solutions, says that although UCLA has been in the spotlight in recent months, there are other recent examples in which an organization’s workers improperly reviewed data, which can lead to identity theft or otherwise stain a company’s reputation.
Known cases likely are exceeded by incidents where employees got away with accessing sensitive information, Harris says.
“Probably a lot more snooping goes on that doesn’t get caught,” Harris says.
Data breaches—when an organization’s information is exposed in some way—have become a major issue for businesses. Much of the public attention around the incidents has focused on external computer hackers. But a tally of data breaches kept by the Privacy Rights Clearinghouse advocacy group shows that since 2005, more than 20 reported breaches were linked to a “dishonest insider” or to deliberate wrongdoing by current or former employees or contractors.
There have been repeated data snooping incidents at UCLA Medical Center. In April, a former UCLA Medical Center employee was indicted for selling information from celebrities’ medical files to a national media outlet.
The U.S. Attorney’s Office for the Central District of California, which announced the indictment, did not name the celebrities or the media outlet. But the Los Angeles Times reported that the National Enquirer was the outlet, and the former employee allegedly snooped into the medical records of Maria Shriver, the wife of California Gov. Arnold Schwarzenegger; actress Farrah Fawcett; and many others.
In April, a California Department of Public Health probe found that UCLA Medical Center workers improperly accessed a celebrity’s medical records in 2005 and earlier this year. Although state officials did not name the patient, the Los Angeles Times identified the celebrity as singer Britney Spears.
UCLA isn’t alone in experiencing high-profile data breaches. In March, reports said the passport files of presidential candidates were improperly accessed by workers at the State Department.
And in February, the Associated Press reported that employees at Wisconsin’s largest utility, WE Energies, routinely accessed confidential information about local celebrities and others from its customer database.
Preventing employee snooping and other data breaches boils down to technology fixes and people management.
Harris says organizations are realizing it’s not enough to put policies in place; audits are now needed to check on employees.
“I think that’s the next step,” he says.
UCLA said in April that it was expanding the auditing capabilities of major clinical information systems.
WE Energies also has added safeguards, including improved software, says spokesman Brian Manthey.
“If someone’s account is open, it has to be for a business purpose,” he says.
Beth Givens, director of the Privacy Rights Clearinghouse, isn’t sure how well any organization can guard against star-struck employees.
“If an employee with access to sensitive information has an obsession with a celebrity,” she says, “it’s going to be difficult.”