Hiring employees who work remotely can pose additional challenges for security and compliance with regulations.
In March, Sentara Health disclosed an incident concern that resulted in the notification of 1,620 patients. They described the concern this way:
In December, the Sentara Health’s Lab Services department hired an individual to process lab requisitions.
Lab requisitions are the orders a provider sends to a lab to tell them what type of lab tests to run on a patient.
The individual was hired to work remotely, meaning he did not work in an office located on Sentara property. In January, after a virtual meeting with the individual, the individual’s manager made Sentara’s Privacy Department aware of concerns related to the individual’s identity, including whether the individual with whom the manager had been interacting was the person initially hired.
In response to the manager’s report, the individual’s access to Sentara’s systems was immediately terminated. We subsequently learned that the individual’s activity is consistent with a job-sharing scam. In this type of situation, an individual may seek employment from multiple employers while farming the work out to other individuals who receive a percentage of the pay. This enables a person to be hired by a company as an employee and share the job duties with other people without the employer’s knowledge.
Sentara promptly initiated an investigation into this concern with the assistance of a third-party forensic firm and notified federal law enforcement. On or about January 28, 2025, the investigation determined that the individual’s access to data stored within Sentara’s electronic medical records system appeared consistent with job-related activities. However, because we were unable to confirm whether the access was by the individual hired, or by another person unauthorized to share job responsibilities, we are notifying you of this incident.
Fast forward to June, and we find another disclosure — this one related to the hiring of two more remote employees in January to also process lab requisition. Sentara describes this incident this way:
In January 2025, the Sentara Health’s Lab Services department hired two individuals to process lab requisitions.
Lab requisitions are the orders a provider sends to a lab to tell them what type of lab tests to run on a patient.
The individuals were hired to work remotely, meaning they did not work in an office located on Sentara property. On April 3, 2025, after virtual meetings with the individuals, the individual’s manager made Sentara’s Compliance Department aware of concerns related to the individual’s identities, and that the pictures the individuals submitted as part of the hiring process did not appear to match the individuals participating in virtual departmental meetings.
In response to the manager’s report, the Sentara Privacy and Cyber Security departments began an investigation to determine if there was any activity that was inconsistent with their job duties or out of compliance with Sentara’s policies or procedures. Our investigation was completed on April 10, 2025, and noted that while the individuals were performing the job duties they were hired to perform, they were not performing these duties from within the United States and could not confirm they were being performed by the individuals hired by Sentara.
In response, Sentara immediately terminated the individuals’ access to Sentara’s systems.
This incident did not affect all patients, but only certain patients who received lab tests between January and April 10, 2025. The information the individual(s) accessed varied by patient, but may have included patient names, addresses, dates of birth, patient identification numbers, medical record numbers, telephone numbers, Social Security Numbers, the lab tests that were ordered, the name of the provider who ordered the tests and the date the labs were ordered.
The June report to HHS indicated that 13,278 patients were affected.
Notice that they do not say that the people accessing data and performing the work were not the people hired. What they said is they couldn’t be sure, and as one result, they are evaluating their technical controls.