Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account

Health Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months.

The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the Health Department, emails sent to that individual’s official email account contained a range of patients’ electronic protected health information (ePHI). The ePHI included first and last names, ages, medical record numbers, medical diagnoses, dates of service, medication names and prescription numbers.

The email forwarder was discovered during a random audit that was conducted on November, 22, 2016. An internal investigation into the incident revealed that the ePHI of 1,700 patients was exposed. The investigation did not uncover any evidence to suggest that any of the forwarded emails had been opened or read, but the possibility that ePHI was inappropriately accessed could not be ruled out.

Multnomah County has now confirmed that the email account has been deleted and none of the forwarded emails can be accessed by the employee. Multnomah County believes the risk of ePHI being used inappropriately is low and no reports have been received to suggest any ePHI has been used inappropriately. Multnomah County has also confirmed that no Social Security numbers, home addresses, or phone numbers were present in the emails or email attachments forwarded to the personal account.

The incident has prompted Multnomah County to conduct a review of policies and procedures with the member of staff concerned. Policies, controls, business practices, and data protection solutions are also being reviewed in direct response to this incident.

It is unclear why the emails were being forwarded to the personal account and it would appear from the substitute breach notice issued by Multnomah County that the matter has been dealt with internally and the employee in question has not been terminated.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.