University of Cincinnati Email Errors Result in 1,064-Patient Data Breach

Share this article on:

Email errors have been potentially exposing the Protected Health Information (PHI) of University of Cincinnati Medical Center patients, according to a recent breach report issued by the healthcare provider. The error was discovered to have been made on nine separate occasions over a period of more than a year. As a result of these errors, patient data have been inadvertently sent outside of the UC Health email network. The mistakes were simple errors that can all too easily occur, and go unnoticed, if controls are not put in place to prevent the transmission of PHI outside of an organization’s network.

When the emails were sent, two letters were accidentally reversed when entering the domain name. The recipient name was entered correctly, but the error entering the domain name resulted in the emails being directed to another organization.

When emails are sent to an organization and cannot be delivered, a message is usually automatically sent to the sender advising them of the delivery failure. Some organizations employ a “catch-all”, which would result in an incorrectly addressed email being delivered to the mailbox of a system administrator. In such cases the email would not generate a non-delivery message and the sender would be unaware of the error.

Since the emails were not returned as being undeliverable, which would have highlighted the error, the error was made on subsequent occasions. The first instance was determined to have occurred in August 2014 with the last discovered only recently. 1,064 patients were affected and potentially had their names, dates of birth, medical record numbers, service dates and physician’s names exposed. It is possible that the emails were not opened or read.

UC Health spokeswoman Diana Lara issued a statement on Friday indicating the hospital had not received any notifications to suggest that the data have been misused. An external security firm has been employed to conduct a forensic analysis to determine how the error occurred and was allowed to persist, and if any other data were exposed.

The information contained in the emails should not be sufficient to allow any individual to use the data to commit identity theft or fraud, but patients will be advised to exercise caution none the less in the breach notification letters that will shortly be mailed.

Problems such as these can be prevented with the addition of an email filter on outbound mail. Spam filters are often employed to catch email spam being sent to an organization, but similar filters are not always used to block outbound mail. This has been addressed by UC Health and emails sent in error to the organization in question will now be blocked.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On