Unauthorized Remote Access to Patient Data Went Undetected for 4 Months
Sentara Health has confirmed that two remote workers using false identities may have accessed sensitive patient information from January to April 10, 2025.
According to a news release from the Norfolk, VA-based health system, in January 2025, Sentara Health’s Lab Services department hired the remote workers to process lab requisitions—orders sent by providers that indicate which lab tests to perform on patients. These individuals worked entirely off-site, without ever visiting a Sentara facility.
New Hire Photos of Remote Workers Raise Red Flag
On April 3, their manager raised concerns after noticing that the two individuals participating in virtual meetings did not match the photos submitted during the hiring process. This prompted a report to Sentara’s Compliance Department.
Sentara’s Privacy and Cyber Security teams immediately launched an investigation. A week later, it was discovered that although the job duties were being fulfilled, the work was not being done within the United States, and it could not be confirmed whether the individuals performing the work were the ones who were originally hired.
Sentara Health Takes Immediate Action
Sentara took immediate action by revoking system access for the individuals, conducting a formal investigation, and notifying affected patients beginning June 9, 2025. The potentially exposed data includes patient names, dates of birth, addresses, Social Security Numbers, lab test details, and provider information. The breach may have impacted certain patients who received lab tests during this time.
Affected patients are being offered free credit monitoring and identity protection services, with support available via a dedicated call center.
HIPAA Security Rule Addresses Employment Practices
This recent incident underscores several key points outlined in the HIPAA Security Rule, which will be further expanded upon in the proposed updates to the Rule:
- The importance of regularly reviewing onboarding/offboarding requirements, including workforce clearance and access permissions.
- That information system activity includes audit logs, access reports, and the identification of login monitoring procedures, along with the actions to take in response to inappropriate or attempted logins.
Learn more about the proposed updates and their impact on health care organizations in this article on our blog: Comments Deadline Closes for HIPAA Security Rule Proposed Changes.
Deceitful Remote Workers Are a Continuing Threat to Data Privacy
In January, the same month Sentara Health hired the two remote workers now in question, the U.S. Department of Justice announced the indictment of five individuals for fraudulently obtaining remote work credentials from U.S. companies to generate revenue for North Korea.
For more details, including steps to strengthen the remote hiring process, please read the full article on our blog: FBI Warns: North Korean Workers Conduct Data Extortion.
It is important to note that the country where Sentara’s questionable remote workers are located has not yet been identified.
Stay Ahead of Potential Threats
Our customized Cybersecurity Awareness Training is the key to building a resilient workforce. Our engaging awareness program empowers your workforce with the knowledge they need to make informed decisions.
