Share this article on:
The Metropolitan Hospital Center in New York has issued breach notices announcing the potential exposure of patients’ Protected Health Information (PHI) after an employee was found to have emailed data to a personal account.
The breach notice – issued to the Department of Health and Human Services’ Office for Civil Rights (OCR) on June 1, 2015 – indicates that 3,957 individuals have been affected.
Three Email HIPAA Data Breaches Suffered in Quick Succession
This is the third major breach to affect a New York City Health and Hospitals Corporation (HHC) hospital this year. All three have been caused by employees emailing PHI to personal or external mail accounts without authorization.
The Jacobi Medical Center issued breach notices to 90,060 individuals in April after an employee emailed PHI to a personal email account. HHC’s Belleview Hospital Center sent breach notices to 3,334 individuals on April 28th advising them of a data breach caused by an employee emailing a spreadsheet to the email account of a relative on January 15, 2015. The same day, the Metropolitan Hospital employee emailed PHI outside the company without authorization.
According to the Jacobi Medical Center breach notice, these HIPAA breaches are rapidly detected by the healthcare provider’s security system. “Among other things, [HHC] monitors and detects all email communications that contain PHI and other confidential information.” What is not clear is how a sophisticated email security system can incorporate controls to help protect against data breaches, yet take up to two and a half months to determine that data has been emailed outside the company.
The Jacobi breach occurred on February 19, 2015 and was discovered on February 27, 2015. The Belleview breach occurred on January 15, 2015 and was discovered on February 27, 2015. The Metropolitan data breach occurred on January 15, 2015, but was not discovered until March 31, 2015. The breach notice was posted on June 1, 2015
The Office for Civil Rights can impose strict financial penalties on healthcare providers – and other covered entities – for failing to implement sufficient controls to protect PHI. The string of recent data breaches could prove to be sufficient reason for the Office for Civil Rights to conduct an investigation. It will certainly want to see evidence of the actions that have been taken following the data breaches to plug the security gaps.
Data Security Vulnerabilities Now Being Addressed
Three similar data breaches in a short space of time indicates that the staff had not been made aware of the importance of data privacy or that training has been provided and forgotten. In order to tackle this problem, HHC has arranged for further privacy training to be provided to the staff. HHC has also taken the decision to initiate “automatic blocking of email communications containing PHI and other confidential information from being sent from HHC’s information systems to any site or entity outside of the HHC security network unless for a legitimate business purpose.”
The latest breach has warranted the provision of credit monitoring services, which have been made available to all data breach victims for a period of one year. Patients are being advised of the breach by post. The letters detail a number of steps patients can take to reduce the risk of identity theft, insurance and tax fraud.