The incident has raised concerns about transparency, data management, and legal implications affecting the agency's operations.
What happened
The Iowa Department of Human Services (DHS) lost access to approximately 432,000 encrypted emails due to a software transition.
DHS transitioned from Microsoft Outlook to Google Mail in December 2016, incorporating Virtru for email encryption. Following the switch back to Outlook in 2018, DHS encountered decryption issues, rendering 432,000 emails inaccessible. Despite efforts, only a fraction of these emails were successfully decrypted, with many showing errors altering their content.
Going deeper
The lawsuit that led to the disclosure of the encryption problem involves Alyson Rasmusson, who alleges that in 2017, the Iowa DHS wrongly accused her of negligence in a child's injury at her in-home daycare.
While the DHS has since changed its findings, Rasmusson’s attorney Roxanne Conlin, argues that DHS's encryption-related email loss prevents fair legal proceedings, stating “If we cannot get access to emails of the investigator communicating with his supervisor – and, obviously, the supervisor communicating with her supervisor – how in the world can we prove what we need to prove… By encrypting these emails, and then being unable to decrypt them, they have prevented us from having a fair chance in court.”
Ultimately, the lost emails raise concerns about compliance with Iowa laws on evidence preservation and fair trial rights.
What was said
While the DHS believed it could decrypt the Virtru emails “after several successful decryptions,” department spokesman Alex Carfrae states, “the ability to do so stopped working."
Carfrae also acknowledged ongoing contact with Iowa's Chief Information Officer but did not detail further actions.
In the know
Encryption software like Virtru automatically encrypts emails containing certain keywords, complicating access post-transition.
Providers must select encryption solutions that integrate with existing systems and ensure ongoing access to encrypted emails. Paubox, for example, offers encrypted email management without compromising accessibility or security.
Furthermore, Paubox is compatible with various email platforms, including Outlook and Gmail, ensuring continuous operational efficiency and data security.
Go deeper: Paubox vs Virtru: HIPAA compliant email software review
Why it matters
The loss of access to encrypted emails impacts DHS's ability to respond to legal requests and affects litigation outcomes and transparency obligations.
The bottom line
Provider organizations must consider the implications of software transitions on data accessibility and transparency in public agencies. Encryption solutions must be compatible with existing systems to ensure continuous access to health information, especially in legal and regulatory contexts, safeguarding against potential disruptions and legal challenges.
Related: HIPAA Compliant Email: The Definitive Guide
