In June 2015, Metropolitan Hospital Center in New York submitted a HIPAA breach notice to the Department of Health and Human Services’ Office for Civil Rights ( OCR). As required by law, the hospital was obligated to report all HIPAA breaches involving 500 records or more. The HIPAA breach was due to an employee emailing nearly 4,000 patient records to his personal email account.
The emailed data contained the following protected health information:
The HIPAA violation occurred on 15 January 2015 but was not discovered until 31 March 2015. What's mind boggling to me is that while it's clear the hospital allocated budget to having some form of Data Loss Prevention (DLP) in place, they monitored their email systems only after the fact. Therefore, the HIPAA breach still occurred and it took them over two months to discover it. I don't think they got good ROI on their vendor choice for Email DLP.
SEE RELATED: Not Having Email DLP Leads to 90,000 Patient Records Breached
Metro Hospital Center in New York could not determine why the employee sent the email with patient PHI to his personal email. While there was no indication the employee improperly used the information contained in the email, its transmission was unauthorized and represents a HIPAA violation.
Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators. In the case of the Metropolitan Hospital Center in New York, a good email DLP solution would have detected when that employee included things like Medical record numbers and Sensitive medical information to a personal account.
Paubox Suite Plus provides the following benefits:
SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts