2 min read
Houston Health Department data breach due to an issue with its patient portal
Kapua Iao March 18, 2022
The Houston Health Department recently alerted patients of a recent data breach. This isn’t the first (and won’t be the last) U.S. government health department to experience a breach.
RELATED: Delaware Division of Public Health announces data breach incident
According to Houston Health, the breach was due to a technical issue with its patient portal rather than malicious intent. Many covered entities choose to use a portal for communication, but patient portals aren’t as secure as believed; HIPAA compliant email is a safer bet.
And given HIPAA legislation, healthcare organizations must always safeguard protected health information (PHI) from all unsecured breaches.
What happened at Houston Health?
Houston Health first alerted patients of its breach on February 24. It discovered the issue within a portal on January 6 and immediately deactivated the system for 48 hours. The subsequent investigation found that a technical issue within the patient portal linked user accounts together, sharing patient information. Exposed PHI included COVID-19 test dates and results as well as:
- Names
- Addresses
- Birthdates
- Email addresses
About 3,500 portal users had access to 10,000 test results.
SEE ALSO: Your cybersecurity strategy is probably lacking
The Office for Civil Rights lists the breach on its Breach Notification Portal as an unauthorized access/disclosure affecting 10,291 individuals. There was no evidence of malicious intent or data misuse. Houston Health’s breach alert ended with: “Additional processes have been implemented to ensure this incident does not reoccur.”
To portal or not to portal
A patient portal is a healthcare-related online app that allows patients to securely communicate with healthcare providers. Portals are available 24 hours a day, and patients can access their PHI at their convenience.
RELATED: This is what happens to patient engagement under HIPAA
Portals ask patients to use a different website or download an app and create a separate login to access a separate system. They seem like an easy, secure solution, but as we have written in past blogs, this is not the case.
SEE ALSO: Hackers access 4,000 UW Health patients’ Epic MyChart portals for nearly 4 months
Hackers can still compromise the portal login, which in and of itself is an annoyance to patients. And obviously, something as simple as a technical issue (like Houston Health’s) can expose PHI. Standalone portals aren’t the best solution for safeguarding sensitive information.
Why email is better than patient portals
Part of the reason healthcare organizations began to use portals is to increase patient engagement. But studies indicate patient engagement through email is better. More than 1 in 3 patients reported that email helped them avoid an unnecessary doctor’s visit.
In fact, the same number of patients reported that email communication with their provider improved their overall health. But that does not necessarily make email communication more secure. Strong encryption that keeps PHI safe in transit and at rest does.
SEE ALSO: How to make your email HIPAA compliant
Ultimately HIPAA compliant email is a safer, simpler, more convenient, and more effective communication tool. It keeps messages and PHI protected, helping covered entities avoid unsecured breaches and HIPAA violations.
Paubox Email Suite Plus means solid email security
Paubox Email Suite seamlessly employs strong email security to keep communication HIPAA compliant. Employees and patients don’t need extra passwords or logins. No portals or prerequisites to ensure patients have control over their health.
SEE ALSO: How to get employees to use encrypted email
Our HITRUST CSF certified solution encrypts all outbound email. And better yet, messages can be sent directly from an existing email platform such as Microsoft 365 or Google Workspace. And Paubox Email Suite Plus provides even more inbound security with robust spam, malware, and phishing protection.
Zero Trust Email adds another layer of authentication before an email is even delivered to an inbox. While ExecProtect keeps display name spoofing from causing inadvertent sharing.
RELATED: Human error is inevitable – robust email security is a must
Houston Health accidentally caused its recent portal breach, exposing PHI and causing a HIPAA violation. Something that could have been avoided in the first place with HIPAA compliant email like Paubox Email Suite.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.