Insider Threat Management

Was This Hospital Employee Acting Maliciously?

Data breach at an Ohio hospital and malicious vs non-malicious insiders

Update, June 23, 2016: According to the Toledo Blade:  Jamie Knapp was found guilty of accessing confidential patient records.

After 2 hours of deliberation, a U.S. District Court jury returned the verdict for Jamie Knapp, 26, of Adrian on a misdemeanor count of obtaining individually identifiable health information. She faces a maximum sentence of a year in prison for a violation of the federal Health Insurance Portability and Accountability Act. Prosecutors have said Knapp accessed more than 500 patient medical files at the Oregon hospital for no legitimate purpose. Jurors deliberated for about two hours prior to reaching a verdict.

-------------------------------------------------------------------------------------------------------------------------------

Background on the Jamie Knapp Insider Threat Case

In today’s Throwback Hack, we look back at a data breach at an Ohio hospital and an employee that may or may not have acted maliciously in accessing the information of patients for whom she was not involved in treating.

Between April 1, 2013 and April 1, 2014, 25-year-old Jamie Knapp was employed as a respiratory therapist at ProMedica Bay Park Hospital in Oregon, Ohio. During that time, Knapp accessed the medical records of nearly 600 patients that she was not directly treating and had no valid business reason for doing so.

On April 2, 2014, the hospital discovered the breach. The ensuing investigation determined that Knapp may have accessed information that included patients’ full names, dates of birth, diagnoses, hospital visit numbers, medical record numbers, attending physicians, and prescribed medications.

Based on ProMedica’s records, they do not believe the compromised data included financial information or Social Security numbers. ProMedica also does not believe that Knapp intended to retain any of the information she viewed, but has acted to individually alert the 594 effected patients, nonetheless, that their protected health information was breached.

All of this begs the question as to what exactly Knapp was trying to do. If no financial information was breached and none of the information was exported (presumably), then what had she accomplished?

Was Jamie Knapp a Malicious Insider Threat?

According to Knapp, she was looking at the patients’ records to help her to study for her upcoming state examination for respiratory therapists. While she claimed to have obtained permission from a supervisor to view those records, Knapp declined to give the name of that supervisor. Furthermore, ProMedica has said that the hospital has no record of such a request.

Hospital officials first became suspicious of Knapp after her co-workers reported seeing her entering the rooms of patients that she had no connection in treating on both March 25 and April 1, each time removing containers full of used needles. Hospital authorities confronted Knapp and asked her to take a drug test. She refused and walked out, quitting her job.

“Once we discovered the breach, ProMedica immediately deactivated the employee’s access to patient information and the individual is no longer employed by ProMedica,” said a spokeswoman for the organization.

Case Resolution

Determining an individual’s intent is not always an easy thing to do. However, monitoring their user activity on your servers can be. Had the hospital set up a monitoring system that had alerted them to Knapp’s suspicious—and unlawful—activity, they would have been able to confront the issue before it grew to the extent for which it did. Furthermore, they would have had concrete evidence to prove that she had broken laws.

The breach was reported to the U.S. Department of Health and Human Services. The Oregon, Ohio Police Department, however, only learned of the breach through the local news media. On June 27, 2014, Oregon Police Chief Michael Navarre held a press conference: “We can’t prove what the motive is,” said Chief Navarre. “[We] can surmise, but we can’t prove [anything], and, oftentimes, that’s the way investigations end. The detectives have a pretty good idea what was going on, but they can’t prove it.”

The only part of the investigation that is ongoing is that which is being investigated by the federal government to determine if any Health Insurance Portability and Accountability Act (HIPAA) laws were violated – it certainly seems like they might have been. According to a spokesman for the U.S. Department of Health and Human Services, Department of Civil Rights, the federal investigation could take years longer to complete.

Final Thoughts

Hospitals and other medical facilities must be vigilant when it comes to protecting patient information. Betweencompliance regulations and criminal mischief, there is plenty for security officers to worry about monitoring.

 

Subscribe to the Proofpoint Blog