In June 2015, Metropolitan Hospital Center in New York submitted a HIPAA breach notice to the Department of Health and Human Services’ Office for Civil Rights (OCR). As required by law, the hospital was obligated to report all HIPAA breaches involving 500 records or more.
The HIPAA breach was due to an employee emailing nearly 4,000 patient records to his personal email account.
The emailed data contained the following protected health information:
- Medical record numbers
- Medical diagnoses
- Physician’s names
- Sensitive medical information
The HIPAA violation occurred on 15 January 2015 but was not discovered until 31 March 2015. What’s mind boggling to me is that while it’s clear the hospital allocated budget to having some form of Data Loss Prevention (DLP) in place, they monitored their email systems only after the fact. Therefore, the HIPAA breach still occurred and it took them over two months to discover it. I don’t think they got good ROI on their vendor choice for Email DLP.
Why Would an Employee Email PHI to Their Personal Account?
Metro Hospital Center in New York could not determine why the employee sent the email with patient PHI to his personal email.
While there was no indication the employee improperly used the information contained in the email, its transmission was unauthorized and represents a HIPAA violation.
How Can Paubox Suite Premium Help?
In the case of the Metropolitan Hospital Center in New York, a good email DLP solution would have detected when that employee included things like Medical record numbers and Sensitive medical information to a personal account.
Paubox Suite Plus provides the following benefits:
- Quarantine the outbound email.
- Send an email alert to the DLP administrator.
- Optionally send an email alert to the sender notifying them their email got quarantined.