25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Health Plan of San Joaquin Email Security Breach Affects 420,433 Individuals

Posted By on May 21, 2021

Health Plan of San Joaquin (HPSJ), a non-profit Medi-Cal managed care provider based in French Camp, CA, has discovered an unauthorized individual has gained access to its email system and potentially accessed or obtained sensitive data.

A potential email breach was suspected on or around October 12, 2020 when anomalous activity was identified in the email system. HPSJ determined on October 23, 2020 that multiple employee email accounts had been remotely accessed by an unauthorized individual. A password reset was performed on all affected email accounts to prevent further access, and the investigation confirmed that unauthorized access to email accounts occurred between September 26, 2020 and October 12, 2020.

Following any email system breach, all emails in the compromised accounts must be checked to determine whether they contain any sensitive data. That can be a labor-intensive and time-consuming process. In this case, the process involved a programmatic and painstaking manual review, which revealed that the compromised email accounts contained the protected health information of 420,433 individuals.

The delay in issuing breach notification letters was due to the length of time it took to identify PHI in the email accounts, and the subsequent review of internal records to identify up-to-date contact information for those individuals to allow notification letters to be sent. That process has only recently been completed and breach notification letters started to be sent to affected individuals on May 18, 2021.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of PHI in the compromised accounts included names, addresses, and Social Security numbers. While unauthorized email account access was confirmed, no reports have been received to indicate there has been any misuse of PHI; although, as a precaution against identity theft and fraud, affected individuals who had their Social Security number exposed have been offered a complimentary 12-month membership to credit monitoring services through Equifax.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more