1 min read
4000 patient records in New York breached due to nonexistent email DLP
Hoala Greevy May 24, 2017
In June 2015, Metropolitan Hospital Center in New York submitted a HIPAA breach notice to the Department of Health and Human Services’ Office for Civil Rights ( OCR). As required by law, the hospital was obligated to report all HIPAA breaches involving 500 records or more. The HIPAA breach was due to an employee emailing nearly 4,000 patient records to his personal email account.
The emailed data contained the following protected health information:
- Names
- Medical record numbers
- Medical diagnoses
- Physician’s names
- Sensitive medical information
The HIPAA violation occurred on 15 January 2015 but was not discovered until 31 March 2015. What's mind boggling to me is that while it's clear the hospital allocated budget to having some form of Data Loss Prevention (DLP) in place, they monitored their email systems only after the fact. Therefore, the HIPAA breach still occurred and it took them over two months to discover it. I don't think they got good ROI on their vendor choice for Email DLP.
SEE RELATED: Not Having Email DLP Leads to 90,000 Patient Records Breached
Why Would an Employee Email PHI to Their Personal Account?
Metro Hospital Center in New York could not determine why the employee sent the email with patient PHI to his personal email. While there was no indication the employee improperly used the information contained in the email, its transmission was unauthorized and represents a HIPAA violation.
How Can Paubox Suite Premium Help?
Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators. In the case of the Metropolitan Hospital Center in New York, a good email DLP solution would have detected when that employee included things like Medical record numbers and Sensitive medical information to a personal account.
Paubox Suite Plus provides the following benefits:
- Quarantine the outbound email.
- Send an email alert to the DLP administrator.
- Optionally send an email alert to the sender notifying them their email got quarantined.
SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.