Recent Insider Threat: Sutter Health

Recent Medical records hold a mass amount of data. These include not only medical diagnosis, but may also include payment information along with health insurance data. Per each individual record, the sales price may not be large, however the value resides more in the data itself. The price depends on not only the data in each file, but also how these are bundled.

The medical records are limited as to the access. Not every person in the medical facility requires access to these. The data may lure staff members of the medical facility to view these records, when not authorized, to gain knowledge. Certainly this could be more of a curiosity issue, or more of a malicious slant with the exfiltration and sale of the data. In prior years, this had occurred with celebrities or other prominent figures.

Another incident of this type occurred recently. Sutter Health in California recently fired two employees after they accessed medical records. Normally this would not be an issue as many persons are allowed to view medical records as part of their role and responsibility for their position, however, the staff members were not authorized to do so. The two employees allegedly accessed the medical records of Joseph DeAngelo. He is suspected to be the Golden State Killer.

Naturally medical records are to be held in an exceptionally secure manner and accessed by authorized parties only when required for their position. This not only includes data segregation and encryption, but also authorization.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.