HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

University of Cincinnati Email Errors Result in 1,064-Patient Data Breach

Email errors have been potentially exposing the Protected Health Information (PHI) of University of Cincinnati Medical Center patients, according to a recent breach report issued by the healthcare provider. The error was discovered to have been made on nine separate occasions over a period of more than a year. As a result of these errors, patient data have been inadvertently sent outside of the UC Health email network. The mistakes were simple errors that can all too easily occur, and go unnoticed, if controls are not put in place to prevent the transmission of PHI outside of an organization’s network.

When the emails were sent, two letters were accidentally reversed when entering the domain name. The recipient name was entered correctly, but the error entering the domain name resulted in the emails being directed to another organization.

When emails are sent to an organization and cannot be delivered, a message is usually automatically sent to the sender advising them of the delivery failure. Some organizations employ a “catch-all”, which would result in an incorrectly addressed email being delivered to the mailbox of a system administrator. In such cases the email would not generate a non-delivery message and the sender would be unaware of the error.

Since the emails were not returned as being undeliverable, which would have highlighted the error, the error was made on subsequent occasions. The first instance was determined to have occurred in August 2014 with the last discovered only recently. 1,064 patients were affected and potentially had their names, dates of birth, medical record numbers, service dates and physician’s names exposed. It is possible that the emails were not opened or read.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

UC Health spokeswoman Diana Lara issued a statement on Friday indicating the hospital had not received any notifications to suggest that the data have been misused. An external security firm has been employed to conduct a forensic analysis to determine how the error occurred and was allowed to persist, and if any other data were exposed.

The information contained in the emails should not be sufficient to allow any individual to use the data to commit identity theft or fraud, but patients will be advised to exercise caution none the less in the breach notification letters that will shortly be mailed.

Problems such as these can be prevented with the addition of an email filter on outbound mail. Spam filters are often employed to catch email spam being sent to an organization, but similar filters are not always used to block outbound mail. This has been addressed by UC Health and emails sent in error to the organization in question will now be blocked.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.