Share this article on:
Email-related breaches of protected health information (PHI) have recently been reported by the University of Arkansas for Medical Sciences and Sacramento County
University of Arkansas for Medical Sciences (UAMS) Employee HIPAA Violation
The University of Arkansas for Medical Sciences (UAMS) has started sending notification letters to hundreds of patients to alert them to a HIPAA violation involving some of their PHI.
On November 29, 2021, UAMS discovered an employee had sent emails from her UAMS email account to a personal Gmail account that contained attachments that included patients’ PHI. UAMS said the emails were sent on November 15, 2021, while the individual was still employed by UAMS. The emails included billing statements that had been sent to UAMS for reimbursement and Excel spreadsheets used by UAMS for internal billing compliance and auditing purposes.
No clinical documents, medical records, financial information, or Social Security numbers were included in the attachments, but they did contain PHI such as names, hospital account numbers, medical record numbers, dates of service, insurance type, and claim information for billing purposes. The attachments also contained the dates of birth and medication information of a small number of individuals. In total, 518 individuals were affected.
UAMS said the employee concerned was interviewed about the HIPAA breach and maintained the emails had been sent to her personal email account in error and voluntarily left UAMS.
Sacramento County Phishing Attack Exposed the Health Data of Thousands of Employees
Sacramento County has confirmed it was the victim of a phishing attack in June 2021 in which unauthorized individuals gained access to employee email accounts that contained the personal and protected health information of employees.
According to the notice, Sacramento County employees were targeted in a phishing attack on June 22, 2021, and five employees responded to the emails and disclosed their email account credentials. It is unclear when the security breach was detected, but officials said an audit of email mailboxes determined on November 17, 2021, that the compromised mailboxes contained 2,096 records that included the protected health information of employees, and a further 816 records that contained personal information.
Notification letters were sent to those individuals on January 21, 2022, and free credit monitoring, credit resolution, and identity restoration services have been offered for 12 months. The email security incident prompted Sacramento County to strengthen the password requirements for employee email accounts and implement 2-factor authentication. The security management plan has also been updated and further security awareness training has been provided to the workforce.