Former Executive Accessed PHI of Nearly 38,000 Individuals
Accountable Care Organization Says It’s Investigating 2020 Incident
… Organizations should also take steps to ensure the return of company-owned mobile computing and storage devices, or the deletion of sensitive data at the end of a worker’s employment, experts note.
“We recommend that HR and/or IT uses a checklist to ensure assets are returned and any work-related data that is not stored within company assets is erased or destroyed,” says Tom Walsh, president of privacy and security consultancy tw-Security.
Personally owned devices – including smartphones, laptops, tablets and portable media – may contain confidential information that belongs to the organization, he notes.
“Most medium- and large-size organizations should have mobile device management, which could facilitate doing a remote wipe of company data from any personally owned device enrolled in their bring-your-own-device program,” Walsh says.
Other important steps covered entities and business associates should take when employees – including executives – leave their employment include ensuring that their access to PHI has ended, Walsh says.
That includes checking for rules in the former executive’s email account/mailbox.
“The executive may have set up a rule in email to automatically forward certain emails to a personal email account,” he says.
“Even after termination, the rule may still be in place because the organization would likely change the password to the executive’s email account/mailbox, but keep the account/mailbox active to ensure that key communications are not missed.”
Another person in the organization may have the responsibility for monitoring incoming emails into the terminated executive’s mailbox, he notes. “But if someone didn’t check the account to verify if the rules were turned off, they may not even be aware of the auto-forwarding activity.”
Entities also should remove remote access capability to cloud storage services, Walsh says, and they should keep in mind that executives often have more expanded privileges to access sensitive company/patient information than other workers – even if they don’t always need it.
“The executive may not log in or seldom log in with those elevated privileges, but they have them,” and that access needs to be terminated when the individual leaves the organization, he notes.