The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

North Carolina DHHS Reveals 524-Patient Record Data Breach

Posted By on Nov 15, 2015

In August 2015, a member of staff employed by North Carolina Department of Health and Human Services was discovered to have sent unencrypted emails containing patient data outside of the company’s email network. The errors resulted in 1,615 patients having their personal information placed at risk of being intercepted or viewed by unauthorized individuals.

On Friday, the DHHS discovered that the errors had been made again, this time resulting in the data of 524 patients being sent via unencrypted email. The emails were reportedly sent on September 14, just under a month after the first data breach occurred.

This time the emails have more potential to result in patients coming to harm as Social Security numbers, insurance information, and dates of birth were included in the emails. Other data exposed in the latest breach include names, addresses, ethnicity, gender, race, Medicaid recipient numbers and provider names.

When a data breach is suffered, HIPAA-covered entities are required to investigate the cause of the breach, issue notification letters to the Office for Civil Rights, announce the data breach to the media (if more than 500 individuals are affected), and alert patients. They must also take steps to prevent similar data breaches from occurring in the future. Action must be taken promptly to prevent further exposures of patient data.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The DHHS has now implemented controls to prevent this type of error from occurring in the future. An email filter will be used to block the transmission of emails containing patient PHI if the data have not been encrypted. Had the security measure been put in place after the first data breach was suffered on August 19, the second set of emails would have been blocked.

An investigation has been conducted into the incident, and while the data could potentially have been intercepted or been read by an unauthorized individual, the state DHHS does not believe any information has fallen into the wrong hands or has been used inappropriately.

This was the second data breach to be reported on Friday by a HIPAA-covered entity that involved the transmission of PHI via email. University of Cincinnati Medical Center also discovered a data breach had occurred as a result of an email error. In that case, the data was similarly unencrypted, although it was not meant to be sent outside the healthcare provider’s network.

The solution to both errors was the same. The implementation of an email filter as a safeguard to prevent human error from exposing patient PHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist