Paubox blog: HIPAA compliant email made easy

Healthcare email breach roundup: Week of 10/28/24

Written by Liyanda Tembani | November 12, 2024

Email-related breaches often expose sensitive personal information, putting organizations and patients at risk. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following email-related breaches in healthcare were reported this week:

Related: Why HIPAA breaches related to email are so common

 

BrightStar Care email breach

What happened

On October 28, 2024, BrightStar Care reported an email breach to the Massachusetts Attorney General after discovering unauthorized access to an employee’s email account. Upon investigating, BrightStar confirmed that an unauthorized party had accessed the account over a two-day period, between May 15 and May 16, 2024. This led to unauthorized exposure of sensitive consumer data emails and attachments.

 

Data impacted

The compromised data included confidential consumer information that BrightStar Care has since reviewed to determine the specific data types and individuals affected. Personalized notifications were sent to individuals, listing the types of data involved.

 

Breach timeline

Suspicious activity was detected in May 2024. After concluding an investigation on August 29, 2024, BrightStar Care began issuing data breach notifications on October 28, 2024, to comply with regulatory requirements.

 

Potomac Medical Aesthetics breach

What happened

Potomac Medical Aesthetics (PMA), based in Maryland, reported an unintentional email breach that occurred when an internal document with patient names and email addresses was mistakenly sent to other PMA patients. The error was detected promptly, leading PMA to suspend outbound email processing and initiate a recall notice.

 

Data impacted

The breached data included patient names and email addresses. Although limited in scope, this exposure makes affected individuals vulnerable to phishing attacks. PMA has advised them to exercise caution with unsolicited emails.

 

Breach timeline

The incident was reported on October 28, 2024, shortly after the disclosure error was detected. PMA swiftly issued notifications and implemented additional email protocols to prevent future breaches.

 

Northeast Professional Caregivers email account breach

What happened

Northeast Professional Caregivers, a Canton-based healthcare organization, reported an unauthorized access incident involving an employee email account. The compromised account contained a marketing list with names, addresses, phone numbers, and types of services sought by potential and existing patients.

 

Data impacted

The accessed data was limited to demographic details and service preferences; no sensitive medical, financial, or Social Security information was included. Northeast Professional Caregivers reported the breach out of caution, although there’s no evidence of misuse or further exposure.

 

Breach timeline

The breach was detected and contained in October 2024, with notifications sent out as a preventive measure to alert affected individuals to the potential risks. It was reported to the OCR on November 1, 2024. 

 

How to prevent email-based breaches

  • Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
  • Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
  • Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
  • Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.

 

FAQs

What is the most common cause of email-related data breaches in healthcare?

Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.

 

Is HIPAA violated if only internal staff emails containing PHI are compromised?

Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.

 

What should be included in a healthcare organization’s incident response plan for email breaches?

An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.