Dermatologist Email Error Exposes 14910 Patients’ SSNs

A spreadsheet containing 14,910 patient names, along with Social Security numbers, dates of birth, telephone numbers, addresses, email addresses, past and next appointment dates, head of household names, marital statuses, ethnicities, and employer names/occupations was inadvertently sent to 130 patients by the office of an Austin dermatologist.

The emails were sent on November 23, 2015, although the error was rapidly identified, but not in time to prevent 60 of those emails from being successfully delivered. It is not clear how many patients could potentially have been affected had the email error not been identified so quickly.

According to a breach notice placed on the website of Austin, TX, dermatologist Mary Ruth Buchness, instead of patients being sent a survey as an email attachment they were inadvertently sent a very detailed list of patient demographics.

The website breach notice does not list the number of patients affected, although the breach notice submitted to the Department of Health and Human Services Office for Civil Rights indicates 14,910 patients had their PHI exposed.

To mitigate risk and protect patients, all affected individuals have been offered identity theft protection services for a period of one year without charge starting from December 11, 2015 when the breach notification letters were sent.

Mary Ruth Buchness’s practice will also be implementing a number of additional controls to prevent similar mistakes from exposing the PHI of patients in the future, starting with an outright ban on the sending of emails to multiple patients or distribution lists until further HIPAA training has been provided and additional security and privacy protections put in place. The new measures being implemented will include technical email safeguards to prevent the unintentional sending of patient PHI via email.

In order to determine the best protections to put in place, a privacy and security consultant has been enlisted to review the practice’s policies and procedures.

This is not the only email error to have been made by a healthcare provider that has resulted in the exposure of patient PHI this year, but it certainly ranks as one of the most serious due to the number of patients affected and the highly detailed information that was sent.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.