Not having email DLP leads to 90,000 patient records breached

Email DLP - Paubox

In April 2015, the New York City Health & Hospitals Corporation’s (HHC) Jacobi Medical Center reported 90,060 patient records were breached when an employee emailed the records to her personal email account. In addition, she also cc’d her new employer. The email was sent shortly before the employee left HHC Jacobi Medical Center to work for another healthcare provider.

The emailed data contained the following patient protected health information (PHI):

  • Names
  • Addresses
  • Telephone numbers
  • Medical record numbers
  • Health insurance information
  • Treatment dates
  • Medical services received
  • Social Security Numbers

Although the Jacobi Medical Center automatically monitored communications sent containing PHI, they did so on a reactive basis. In other words, while their systems detected the email breach, they did so after the fact and did not actually block the email from being sent.

Why Would an Employee Email PHI to Their Personal Account?

In this instance, it seems the employee believed there would be commercial or career benefit by emailing over 70,000 patients records to both her personal email account and that of her new employer.

Insurance information, Social Security Numbers and Personally Identifiable Information (PII) were included in the emailed data. This data is precisely what an identity thief would need to obtain loans, credit cards, make false insurance claims and commit medical fraud.

SEE ALSO: Lack of Email DLP causes HIPAA Violation in California

How Can Paubox Suite Premium Help?

Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.

Taking Jacobi Medical Center as an example, a robust email DLP solution would have detected when that employee included things like thousands of Social Security Numbers in an email.

In the case of Paubox Suite Premium, we would:

  • Quarantine the outbound emails and not allowed them to reach the intended recipients.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts

Try Paubox Email Suite Premium for FREE today.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport