HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Breaches Reported by University of Arkansas for Medical Sciences and Sacramento County

Email-related breaches of protected health information (PHI) have recently been reported by the University of Arkansas for Medical Sciences and Sacramento County

University of Arkansas for Medical Sciences (UAMS) Employee HIPAA Violation

The University of Arkansas for Medical Sciences (UAMS) has started sending notification letters to hundreds of patients to alert them to a HIPAA violation involving some of their PHI.

On November 29, 2021, UAMS discovered an employee had sent emails from her UAMS email account to a personal Gmail account that contained attachments that included patients’ PHI. UAMS said the emails were sent on November 15, 2021, while the individual was still employed by UAMS. The emails included billing statements that had been sent to UAMS for reimbursement and Excel spreadsheets used by UAMS for internal billing compliance and auditing purposes.

No clinical documents, medical records, financial information, or Social Security numbers were included in the attachments, but they did contain PHI such as names, hospital account numbers, medical record numbers, dates of service, insurance type, and claim information for billing purposes. The attachments also contained the dates of birth and medication information of a small number of individuals. In total, 518 individuals were affected.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

UAMS said the employee concerned was interviewed about the HIPAA breach and maintained the emails had been sent to her personal email account in error and voluntarily left UAMS.

Sacramento County Phishing Attack Exposed the Health Data of Thousands of Employees

Sacramento County has confirmed it was the victim of a phishing attack in June 2021 in which unauthorized individuals gained access to employee email accounts that contained the personal and protected health information of employees.

According to the notice, Sacramento County employees were targeted in a phishing attack on June 22, 2021, and five employees responded to the emails and disclosed their email account credentials. It is unclear when the security breach was detected, but officials said an audit of email mailboxes determined on November 17, 2021, that the compromised mailboxes contained 2,096 records that included the protected health information of employees, and a further 816 records that contained personal information.

Notification letters were sent to those individuals on January 21, 2022, and free credit monitoring, credit resolution, and identity restoration services have been offered for 12 months. The email security incident prompted Sacramento County to strengthen the password requirements for employee email accounts and implement 2-factor authentication. The security management plan has also been updated and further security awareness training has been provided to the workforce.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.