It seems that so many media reports of breaches have the obligatory statement “…There is no evidence that the lost Personally Identifiable Information (PII) was misused in any way.”

In this case (HERE), and originally reported HERE, the PII of Medicaid clients was certainly bought and sold. There is no mention of whether the data was “actually” used for fraudulent transactions or impersonations. The individual who was charged was apparently a new employee who had passed security screening. The employee resigned before the breach was communicated to the IT outsourcing company where she worked. The PII of 500 individuals was sold for $5,000.
What went wrong?

1) It appears that a screening policy existed for new employees. However, you can’t always tell if an employee will be a risk based only on available historical data from credit and criminal checks.

2) The employee had access to sensitive information, presumably during a probationary period. They might even have the patience to wait until probationary periods end in order to avoid suspicion. But the list of recent hires is still the first place investigators will look, going back a year or more.

3) The employee was obviously not deterred by any perceived consequences. This suggests that either employees were not being adequately briefed, or the consequences of committing this kind of crime were not serious enough to convince her that she would be adversely affected if she was caught.

4) No policies, procedures, deterrents or other means will dissuade people who don’t have the capacity to understand them. People with this limited capacity for judgement should not be hired into positions that have access to sensitive information of any kind.

The Bottom Line

You can almost never defend completely against an insider with malicious intent and means. A few layers of safeguards can make it relatively easy to detect and react to incidents of this type where large numbers are involved.

1) Individuals having access to large numbers of sensitive records should be screened with a higher degree of scrutiny to increase confidence in their intelligence and integrity.

2) Large ad-hoc data queries should require multi-person approval via passwords, and should be logged for review.

3) Automated paper reports with sensitive information should be classified and should only be available on printers or disk drives in higher security zones.

4) Penalties for employees need to be strict and enforced.