North Carolina DHHS Reveals 524-Patient Record Data Breach

In August 2015, a member of staff employed by North Carolina Department of Health and Human Services was discovered to have sent unencrypted emails containing patient data outside of the company’s email network. The errors resulted in 1,615 patients having their personal information placed at risk of being intercepted or viewed by unauthorized individuals.

On Friday, the DHHS discovered that the errors had been made again, this time resulting in the data of 524 patients being sent via unencrypted email. The emails were reportedly sent on September 14, just under a month after the first data breach occurred.

This time the emails have more potential to result in patients coming to harm as Social Security numbers, insurance information, and dates of birth were included in the emails. Other data exposed in the latest breach include names, addresses, ethnicity, gender, race, Medicaid recipient numbers and provider names.

When a data breach is suffered, HIPAA-covered entities are required to investigate the cause of the breach, issue notification letters to the Office for Civil Rights, announce the data breach to the media (if more than 500 individuals are affected), and alert patients. They must also take steps to prevent similar data breaches from occurring in the future. Action must be taken promptly to prevent further exposures of patient data.

The DHHS has now implemented controls to prevent this type of error from occurring in the future. An email filter will be used to block the transmission of emails containing patient PHI if the data have not been encrypted. Had the security measure been put in place after the first data breach was suffered on August 19, the second set of emails would have been blocked.

An investigation has been conducted into the incident, and while the data could potentially have been intercepted or been read by an unauthorized individual, the state DHHS does not believe any information has fallen into the wrong hands or has been used inappropriately.

This was the second data breach to be reported on Friday by a HIPAA-covered entity that involved the transmission of PHI via email. University of Cincinnati Medical Center also discovered a data breach had occurred as a result of an email error. In that case, the data was similarly unencrypted, although it was not meant to be sent outside the healthcare provider’s network.

The solution to both errors was the same. The implementation of an email filter as a safeguard to prevent human error from exposing patient PHI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.