Share this article on:
The Lake County Health Department in Illinois has announced it has suffered two data breaches that potentially involved the personal and protected health information of around 25,000 patients.
The first breach occurred in 2019 when a Lake County Health employee sent an unencrypted email from their work email account to an internal employee’s personal email account. The email had an attached spreadsheet of medical record requests dating from December 2016 to June 2019. The requests had been made through a third-party company which handled release of information requests for the Lake County Health Department. The spreadsheet included the names of 24,241 patients along with dates relevant to the vendor.
Lake County Health discovered the breach on July 22, 2019; however, it took until July 2021 for notification letters to be sent to affected patients. The reason for the delay of almost two years was due to Lake County Health officials not believing notification letters were required, as no personal health information had been compromised; however, the Department of Health and Human Services disagreed with that assessment and required notification letters to be issued as personal health information may have been compromised.
A second data breach was discovered on May 14, 2021 which involved a Google spreadsheet containing names, dates of birth, email addresses, phone numbers, and the COVID-19 vaccination status of 705 individuals. The spreadsheet was saved in the personal Google Drive account of an employee. While Google Drive can be a HIPAA compliant solution for use in healthcare along with other G Suite services, personal accounts are not. Google can access information in personal Google accounts and uses that information to deliver tailored services and advertisements. All affected individuals were seniors who had sought information on COVID-19 vaccinations. Those individuals have now been notified.
While both privacy incidents resulted in patient data being exposed, Lake County Health said internal risk assessments were conducted and no evidence was found to indicate any of the exposed information had been acquired by unauthorized individuals or misused.
The Lake County Health Department has since implemented solutions to prevent any similar breaches in the future, including encryption of all email and enhanced monitoring.