Email HIPAA Breach Reported by St. Louis County Health Department
St. Louis County Health Department has reported that a former employee has inadvertently breached the Health Insurance Portability and Accountability Act after she sent an email containing Protected Health Information to her personal email account. The data related to inmates who had previously been held at the Buzz Westfall Justice Center between 2008 and 2014.
The data was contained in a document and included Social Security numbers and personal information. It is not clear at this stage why the document was sent to the employees email account and whether this was for the purpose of working from home or to use the data for any other means.
St. Louis County Department of Health spokesman, Craig LeFebvre, issued a statement to the media regarding the breach in which he said that the employee was contacted and told to delete the document and she is understood to have complied with the request; although an investigation into the security breach is ongoing.
Under the HIPAA Breach Notification Rule, all covered entities are required to notify individuals affected by a data breach within 60 days of discovery that their Protected Health Information and personally identifiable information has been compromised.
County officials have confirmed that in accordance with the Breach Notification Rule, all affected individuals have been contacted by mail, a media report was issued and both state and federal officials have been notified of the incident. The breach report made to the Department of Health and Human Services’ Office for Civil Rights (OCR) states that up to 4,000 individuals were potentially affected by the incident.
The data is understood to have been deleted but there is no guarantee at this stage that it has not been disclosed to other parties, so a risk remains. Affected individuals have therefore been advised to obtain credit reports from Equifax, Experian and TransUnion and to monitor their credit carefully over the coming months. Explanation of Benefits (EoB) statements should also be scrutinized and any irregularities queried.
St. Louis County Health Department has agreed to implement a number of additional security measures in order to prevent further HIPAA breaches occurring in the future. One of these measures will be further staff training sessions on HIPAA Privacy and Security Rules.
Should the investigation determine that PHI was taken for personal gain; criminal proceedings could be filed against the former employee which would likely result in a considerable fine as well as a term in jail.