HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lake County Health Department Notifies 25,000 Patients About Two Data Breaches

The Lake County Health Department in Illinois has announced it has suffered two data breaches that potentially involved the personal and protected health information of around 25,000 patients.

The first breach occurred in 2019 when a Lake County Health employee sent an unencrypted email from their work email account to an internal employee’s personal email account. The email had an attached spreadsheet of medical record requests dating from December 2016 to June 2019. The requests had been made through a third-party company which handled release of information requests for the Lake County Health Department. The spreadsheet included the names of 24,241 patients along with dates relevant to the vendor.

Lake County Health discovered the breach on July 22, 2019; however, it took until July 2021 for notification letters to be sent to affected patients. The reason for the delay of almost two years was due to Lake County Health officials not believing notification letters were required, as no personal health information had been compromised; however, the Department of Health and Human Services disagreed with that assessment and required notification letters to be issued as personal health information may have been compromised.

A second data breach was discovered on May 14, 2021 which involved a Google spreadsheet containing names, dates of birth, email addresses, phone numbers, and the COVID-19 vaccination status of 705 individuals. The spreadsheet was saved in the personal Google Drive account of an employee. While Google Drive can be a HIPAA compliant solution for use in healthcare along with other G Suite services, personal accounts are not. Google can access information in personal Google accounts and uses that information to deliver tailored services and advertisements. All affected individuals were seniors who had sought information on COVID-19 vaccinations. Those individuals have now been notified.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

While both privacy incidents resulted in patient data being exposed, Lake County Health said internal risk assessments were conducted and no evidence was found to indicate any of the exposed information had been acquired by unauthorized individuals or misused.

The Lake County Health Department has since implemented solutions to prevent any similar breaches in the future, including encryption of all email and enhanced monitoring.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.