Full Report
One of the most worrying concerns DataBreaches and Protenus reported each year when reporting on breaches of health data was the insider threat. Often the insider threat takes the form of “snooping” out of curiosity. At other times, it may have more nefarious motives, such as obtaining information on an adversary or relative to embarrass... Source
Analysis Summary
# Incident Report: Internal Snooping on Patient Health Data
## Executive Summary
This report summarizes an incident concerning insider threats and improper access to Protected Health Information (PHI) within the healthcare sector, highlighted by a presentation from UHealth (University of Miami Health System). The incidents primarily revolved around employees snooping on records out of curiosity or for non-authorized personal reasons, such as accessing information on family members or adversaries. The full impact and specific resolution details were not transparently disclosed by UHealth, but the focus was on establishing clear policies regarding employee motivation and appropriate disciplinary action.
## Incident Details
- Discovery Date: Not explicitly stated; implied through ongoing monitoring or internal audit related to the UHealth presentation (November 2025 context).
- Incident Date: Ongoing/Recurring pattern discussed (Contextual date of reporting is December 2025).
- Affected Organization: UHealth (University of Miami Health System).
- Sector: Healthcare (Health Data/Patient Privacy).
- Geography: Not explicitly stated (Implied US based on Privacy Rule reference).
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated. Incidents are assumed to occur during employee operational hours.
- Vector: Authorized user access credentials utilized for non-work-related lookups ("snooping").
- Details: Employees using work credentials to access Electronic Health Records (EHR) without being the authorized provider for that patient (e.g., accessing records of children or spouses).
### Lateral Movement
- N/A: The threat vector did not involve typical network intrusion or lateral movement; it was focused on misuse of existing, legitimate access privileges.
### Data Exfiltration/Impact
- Details: Unauthorized access and potential viewing/copying of sensitive patient health information (PHI). Motives ranged from curiosity to gaining information for embarrassment, identity theft, or fraud.
### Detection & Response
- Detection: Not detailed by UHealth in the discussed reports, suggesting detection may rely on audit logs/user activity monitoring.
- Response: UHealth employs policies that do not mandate automatic termination for all violations, preferring to assess motivation and policy understanding to determine disciplinary measures.
## Attack Methodology
- Initial Access: Misuse of legitimate user credentials to access EHR systems.
- Persistence: Continued access through active employee status.
- Privilege Escalation: Not applicable (Insider threat used existing authorized access level).
- Defense Evasion: Potential implicit evasion, although the primary mechanism is violating policy rather than technical system evasion.
- Credential Access: N/A (Credentials were legitimate).
- Discovery: Internal audit or log review regarding PHI access patterns.
- Lateral Movement: N/A.
- Collection: Direct viewing/reading of patient records via the EHR interface.
- Exfiltration: Potential manual transcription or photographing of records (not specified).
- Impact: Violation of patient privacy rights and HIPAA regulations.
## Impact Assessment
- Financial: Not disclosed. (Potential fines or remediation costs associated with PHI violations).
- Data Breach: Unauthorized access to Patient Health Information (PHI). Volume and specific identities of affected patients not disclosed.
- Operational: Minimal operational disruption from the *attack*, but significant disruption/administrative time spent on policy reinforcement and investigations.
- Reputational: Negative impact due to a lack of transparency reported by UHealth regarding the specifics of the incident.
## Indicators of Compromise
- Network indicators: N/A (Focus is internal activity).
- File indicators: N/A.
- Behavioral indicators: Excessive or anomalous access patterns to patient records not associated with current job duties or authorizing physician status (e.g., accessing relatives' files).
## Response Actions
- Containment measures: Policy reinforcement and immediate investigation into the context of the access (e.g., determining if a provider was actually caring for a relative).
- Eradication steps: Disciplinary action commensurate with motivation and severity, including potential termination if warranted by policy/severity.
- Recovery actions: Re-education of staff on Privacy Rule compliance and organizational bylaws.
## Lessons Learned
- Curiosity or personal motives (e.g., checking on family/spouses) are significant drivers of insider PHI breaches.
- Transparency in detailing incidents is crucial for the wider community to learn preventive measures, which UHealth was reportedly reluctant to provide.
- Policies must clearly define acceptable and unacceptable access, even for authorized users accessing familiar records.
## Recommendations
- Implement rigorous User Activity Monitoring (UAM) specifically designed to flag access to VIP/relative records or records outside the employee's current scope of care.
- Disseminate clear, periodic training emphasizing that the right to privacy applies regardless of the patient's relationship to the employee.
- Establish graduated disciplinary policies where termination language exists for severe violations, but lower-tier violations allow for corrective action based on assessed motivation.