25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account

Posted By on Feb 9, 2017

Health Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months.

The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the Health Department, emails sent to that individual’s official email account contained a range of patients’ electronic protected health information (ePHI). The ePHI included first and last names, ages, medical record numbers, medical diagnoses, dates of service, medication names and prescription numbers.

The email forwarder was discovered during a random audit that was conducted on November, 22, 2016. An internal investigation into the incident revealed that the ePHI of 1,700 patients was exposed. The investigation did not uncover any evidence to suggest that any of the forwarded emails had been opened or read, but the possibility that ePHI was inappropriately accessed could not be ruled out.

Multnomah County has now confirmed that the email account has been deleted and none of the forwarded emails can be accessed by the employee. Multnomah County believes the risk of ePHI being used inappropriately is low and no reports have been received to suggest any ePHI has been used inappropriately. Multnomah County has also confirmed that no Social Security numbers, home addresses, or phone numbers were present in the emails or email attachments forwarded to the personal account.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident has prompted Multnomah County to conduct a review of policies and procedures with the member of staff concerned. Policies, controls, business practices, and data protection solutions are also being reviewed in direct response to this incident.

It is unclear why the emails were being forwarded to the personal account and it would appear from the substitute breach notice issued by Multnomah County that the matter has been dealt with internally and the employee in question has not been terminated.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more