Las Palmas Del Sol Healthcare faces insider data breach

Las Palmas Del Sol Healthcare in El Paso, Texas, has disclosed an insider data breach involving a former employee's unauthorized access to patient records.

What happened 

Las Palmas Del Sol Healthcare, a part of HCA Healthcare., identified an insider breach on February 23, 2024, when it was discovered that a former employee had accessed patient records without authorization. The unauthorized activity spanned over three years, from January 1, 2018, to March 12, 2021, during which the employee viewed and possibly copied patient information. 

Financial details like Social Security numbers and credit card information were not accessed. Despite the breach ending in 2021, the individual continued working at the healthcare facility until the breach was detected. The organization acted by revoking the employee’s credentials patients were not informed until December 2024. 

What was said 

According to the breach notification released by Las Palmas Del Sol Healthcare, “Las Palmas Del Sol Healthcare has addressed the situation and has taken appropriate steps to prevent a similar incident from happening in the future. Those steps include, but are not limited to: (1) terminating the employee and severing the employee's access to hospital data and information; (2) reporting the employee's conduct to the appropriate law enforcement authorities, which investigated the matter; (3) performing or conducting systematic audits or monitoring activities of records that are accessed; and (4) continuing to emphasize during employee training what constitutes permissible and impermissible access of patient information.”

Why it matters 

Unlike ransomware or external hacking, this breach involved misuse of internal access rights, allowing the employee to view sensitive patient information. The core problem lies in the lack of effective monitoring and auditing of employee access to patient records, which allowed unauthorized access to go undetected for over three years. The breach was avoidable with stricter internal controls, such as routine access audits, and implementation of role-based access controls.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Despite no financial information being exposed, why is the late notification of patients an issue? 

The late notification of patients is an issue because it delays their ability to take precautions to protect their personal information from potential misuse. 

What qualifies as unauthorized access?

Unauthorized access occurs when someone views or uses information without the proper permission or valid reason related to their job duties. 

What form of employee training would resolve the issue related to the breach?

Regular HIPAA training focused on privacy rules, access protocols, and the consequences of violation would prevent unauthorized access.