On December 13, 2019, Sinai Health System submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS), but stated they have found no evidence of unauthorized access yet. Located in Chicago, IL, the security incident caused by an email breach could potentially affect 12,578 individuals’ protected health information. Sinai Health System is classified as a Healthcare Provider. According to a notice on Sinai Health System's website:
Sinai Health System (Sinai) has become aware of a potential data security incident that may have resulted in the inadvertent exposure of some patients’ personal and health information. On October 16, 2019, forensic information technology experts determined that patient information could be at risk after an unknown third party gained unauthorized access to two employee email accounts. Experts performed an investigation and found no evidence that any patient information was removed from Sinai Health System’s email accounts or systems. Further, Sinai is not aware of any misuse of any patient’s information and has seen no indication that any patient’s information is in the hands of someone it should not be as a result of this incident. While experts found no evidence that any emails containing patient information were opened during the period of unauthorized access, Sinai identified the patients whose personal and health information were stored in the email accounts with help from outside computer experts. The information that could have been in the two email accounts includes patients’ names, addresses, dates of birth, Social Security numbers, health information or health insurance information. Sinai encourages patients to review the letters that are being mailed for steps they can take to protect their information.
Sinai Health System has taken steps to prevent future incidences including resetting of passwords, enhancing email filtering protocols and conducting employee training. Previously Sinai Health System also suffered a breach in 2017 when 11,350 patients had their information compromised from a phishing attack that hacked at least two employees email accounts. View the full notice here.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.