Kentucky E-mail Hack Highlights Importance of HIPAA Compliance

A healthcare provider in Kentucky has notified 2,500 patients that a hacker had gained access to an email account which contained some Protected Health Information and personally identifiers, and that their data could potentially have been viewed by that individual.

The incident occurred when an employee of Cabinet for Health and Family Services responded to a phishing E-mail he had been sent by a hacker and his response allowed the hacker to gain access to his email account. Controls were in place to identify any suspicious E-mail activity which allowed the breach to be identified quickly. Within 30 minutes of access being gained the account was closed, severely limiting the opportunity for health information to be viewed.

The breach was investigated by Cabinet for Health and Family Services which determined that the motivation for the hack was to gain access to government servers to send spam E-mails, and was not a targeted attack to gain access to Patient Health Information. The healthcare provider believes Protected Health Information and personally identifiable information has not been viewed, and while it cannot rule out that possibility, the risk to patients is considered to be low.

The Health Insurance Portability and Accountability Act requires healthcare providers to send breach notifications to all affected individuals after a security breach. The incident is also reportable to the DHHS’ Office for Civil Rights. The breach notifications advised patients of the information that was potentially accessible, which included personal information contained in the National Youth Transition Database used to monitor patients as they aged out of foster care. Medical diagnoses and Social Security numbers were not present in the database although names, addresses and some ID codes were potentially exposed.

Rodney Murphy, Executive Director of the Office of Administrative and Technology Services at Cabinet for Health and Family Services, reassured patients that “The Cabinet and DCBS take our role of safeguarding the personal information of those we serve very seriously and have increased awareness activities for staff to help protect against future issues of this kind.” He also advised those affected that the risk is perceived to be low and they are being notified “out of an abundance of caution”.

The Office for Civil Rights may choose to investigate Cabinet for Health and Family Services to determine whether HIPAA rules were followed and to assess whether the breach resulted from a failure to implement adequate controls to protect private patient data. A fine could be issued if the healthcare provider is found to have violated HIPAA Privacy and Security Rules.

The quick response to the network intrusion limited the window of opportunity given to the hackers and highlights the importance of logging and monitoring network access and E-mail accounts. The incident also reinforces the need for healthcare providers to provide training to employees on E-mail security.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.