Beacon Health System Indiana logo
(image source: Beacon Health System (Kyruus), 2021)
One-sentence summary:
A Beacon Health System employee breached 3,000+ patients’ records at Indiana-based Beacon Health System as an insider.
Who was involved?
Beacon Health System employee, Indiana-based Beacon Health System, and over 3,117 Beacon Health System patients.
What was the timeline?
November 19, 2018: Breach allegedly starts
January 10, 2023: Beacon Health System becomes aware of potential insider activity, launches investigation
February 20, 2023: Beacon Health System confirms the ongoing breach by the employee
February 24, 2023: Breach allegedly ends, employee is terminated
March 10, 2023: Beacon Health System provides notice on their website of the breach
What occurred?
From November 2018 to February 2023, a Beacon Health System employee allegedly breached the PHI of over 3,117 patients by inappropriately accessing such information, allowing the potential breach of: “name, address, date of birth, Social Security number, as well as clinical information such as diagnoses, emergency care treatment information, labs and diagnostic testing, operative and anesthesia documentation, as well as ancillary clinical documentation and medical history” (Beacon Health System, 2023; HHS, 2023). The Beacon Health System employee appears to have been in the admissions department per their job description and abused their privileges (Beacon Health System, 2023). No motive is given on Beacon’s breach notice. However, no fraud or identity theft is suspected (Beacon Health System, 2023).
Estimated costs:
Associated incident response costs, breach notification costs, 7-day week call center
Involved laws:
Federal: HIPAA and HITECH
State: Indiana: Indiana Code article 24-4.9
Root cause:
Employee/insider
Lessons learned:
Insider monitoring and auditing are crucial in healthcare settings where employees may have privileged access to PHI, PII, and other sensitive data.
Example solutions:
Insider monitoring
Teramind: https://www.teramind.co/solutions/insider-threat-detection
ActivTrak: https://www.activtrak.com/insider-threat-detection/
Proofpoint: https://www.proofpoint.com/us/products/information-protection/insider-threat-management
Threat assessment:
Mandiant: mandiant.com/services/insider-threat-assessment
Sources:
Beacon Health System. (2023). Notice of Data Privacy Event. In Beacon Health System. Retrieved April 16, 2023, from https://www.beaconhealthsystem.org/news/2023/03/10/website-notice/
Beacon Health System (Kyruus). (2021, June 15). New%20Project%20%281%29-Jun-14-2021-08-36-42-00-PM.png. Kyruus. https://www.kyruus.com/news/beacon-health-system-enhances-how-patients-find-and-schedule-care-with-kyruus-digital-platform
HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved April 16, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
