Share this article on:
A New York City Health and Hospitals Corporation (HHC) hospital HIPAA breach has been reported in which 3,334 patients’ Protected Health Information (PHI) was exposed after an employee emailed a spreadsheet to the email account of a relative.
The HIPAA breach was discovered on February 27, 2015, although the email was sent more than a month previously on January 15, 2015. Belleview Hospital posted a copy of the breach notification letters (dated April 28, the same day as the breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights) almost two months after the discovery of the breach.
Under the HIPAA Breach Notification Rule, covered entities have up to 60 days to report breaches and issue breach notices when a data breach exposes the PHI of than 500 individuals, although the notices should be issued without unreasonable delay.
How the Belleview Hospital HIPAA Breach Occurred
The employee in question was provided with a spreadsheet that included patient names, telephone numbers and email addresses in addition to their medical record numbers, insurance carrier name and “limited sensitive information.” That spreadsheet was emailed to a relative’s work email address in violation of the HIPAA Privacy Rule, 45 CFR §164.401.
The employee was interviewed as part of the investigation into the HIPAA breach. She explained the reason the email was sent was so she could get some technical assistance with “manipulating the spreadsheet data for Bellevue work purposes,” according to Bellevue’s breach notification letters.
HHC also interviewed the employee’s relative and both he and the employee confirmed that the spreadsheet had not been sent to any other individual and the information had not been otherwise disclosed. HHC determined that the employee had not emailed data to any other individual through the hospital network, and the relative asked his employer to delete the email and the attachment from the company’s computer system. HHC has obtain sworn affidavits from both individuals confirming all PHI has been deleted from all systems. The employee does not appear to have lost her job, although HHC did say she is facing disciplinary action.
Second Reported Unauthorized Email Disclosure for HHC
This HIPAA breach makes it two in a month for the New York City Health and Hospitals Corporation. Another breach report was submitted to the OCR on the same day. HHC reported the Jacobi Medical Center had suffered a HIPAA breach after PHI was emailed outside the company. In that breach the intentions of the employee were very different, as the data was being stolen to provide to a new employer.
In both cases data has been recovered and no further threat is believed to remain, but the two incidents have revealed a security vulnerability in HHC’s system, which does not actually prevent PHI from being sent outside the network to third parties. This is now being addressed to prevent future data breaches and emails containing PHI will be restricted to within the HHC network, except in cases where the data is justified in being sent – to Business Associates for example.
Further training on privacy and security matters has also been planned for all employees required to come into contact with PHI.