Vetting any employee handling sensitive information is an important risk management control. And then there is the potential HIPAA violation for not vetting new hires that will access PHI. This also applies to vendors contracted by public and private organizations. It is the responsibility of the data owner to ensure that all individuals handling the information are dependable and low risk. These are certainly lessons learned by the Washington, D.C. Department of Behavioral Health (DBH)… lessons that shouldn’t have been necessary.
[Graphic from Clearwater Screening]
In January, college student Briana Jenkins received a box of material in response to her online agreement with someone using the Facebook alias “Summer Rose Love.” The agreement was to do Summer Rose’s notes for $150 every two weeks. When Jenkins looked in the box, mental alarms sounded.
The box contained 12 DBH case files containing PII and PHI. Jenkins knew immediately that she should have this information and called the director of Inner City Family Services: the apparent sender of the box. Inner City Family Services (ICFS) is contracted by the DBH to provide social services. Per the ICFS website, these services include:
- Individual Counseling
- Family Counseling and Training
- Community Support
- Crisis Intervention
- Diagnostic Assessments
- Psychological Evaluation
- Behavioral Aid
- Medication Management
Obviously, sharing this information with unauthorized persons is bad, but ICFS employee LaTonya Vaughter apparently didn’t get the message… or simply didn’t care. You see, before Vaughter began working for ICFS, she pleaded guilty to a liquor store heist. How did a felon get access to sensitive data, including PHI?
Background checks. Let’s address the HIPAA issues in this incident as an example. Performing background checks on anyone handling PHI is an addressable standard in the HIPAA. So how did a convicted felon get a job as a counsellor with access to PHI? And how is it that the D.C. officials didn’t know that ICFS was not effectively screening its employees? What controls should have been in place?
When using any service provider, we must clearly stipulate in our agreement our expectations regarding sensitive data handling. In addition, we must retain the right to periodically check through audits or other means to ensure our expectations are met. A third-party certification (SSAE 16, for example) can also help determine whether our data are properly protected.
The Final Word
It’s the responsibility of the organization engaging subcontractors to ensure only carefully selected individuals have access to the organization’s sensitive data. In this case, D.C. had the responsibility. Just because we use a service provider does not transfer responsibility for protecting our information. We are still responsible. This incident is a great example of what can happen when we don’t pay attention…
Source: SANS ISC SecNewsFeed @ March 4, 2017 at 01:15PM