UAMS notifies patients of an email data breach

The University of Arkansas for Medical Sciences (UAMS) recently notified affected patients of a data breach. As stated in the online notification, the breach occurred through employee email negligence.

RELATED: Compromised employee accounts are an expensive problem according to IBM report

Whether a breach occurs accidentally or deliberately does not matter under the HIPAA Act. Given the legislation, healthcare covered entities must safeguard protected health information (PHI) from both negligence and malicious intent.

Moreover, proper protection must be a combination of various cybersecurity features. And to prevent email breaches, this means always utilizing strong email security (i.e., HIPAA compliant email).

What happened?

On November 29, 2021, UAMS discovered that a former employee sent emails from a UAMS account to their personal Gmail account. The employee sent the emails on November 15 while still employed; patient information in Microsoft Excel spreadsheets was attached to the emails.

The spreadsheets included PHI for 518 impacted patients such as:

• Names
• Hospital account numbers
• Dates of service
• Insurance types
• Claim information
• Medical record numbers
• Birthdates and medical information

Upon discovery, UAMS filed a police report and contacted the employee who explained that it was a mistake. No information was retained or shared and there is no evidence that anyone accessed the data.

Nonetheless, as required under the HIPAA Breach Notification Rule, UAMS began to notify affected patients. UAMS sent notification letters through the mail and also included the information on its website.

The Office for Civil Rights’ (OCR) Breach Notification Portal records the breach as unauthorized access/disclosure.

Employee email misuse

Generally, malicious threats receive more attention than accidental ones. In reality, employee negligence can be as detrimental. Moreover, OCR may decide that an accidental breach, just like a hack, could be a HIPAA violation.

RELATED: What you don’t know about cybersecurity can put your business at risk

A similar email breach occurred last year at South Florida Community Care Network. And in that case, like this one, the employee meant no harm but still triggered a reaction. Emailing internal documents to a personal account is against HIPAA guidelines when personal accounts/devices (and therefore PHI) are not properly protected.

RELATED: Why BYOD protection is important for healthcare

Employee email misuse, whether malicious or not, is problematic. If malicious, the data may be used for personal or monetary gain. If accidental, the data may be found by threat actors looking to take advantage of unknowledgeable employees.

How UAMS could avoid this headache

An inherent cause of accidental breaches and human error is the lack of up-to-date cyber education. Proper employee awareness training informs employees about HIPAA compliant defenses, recognizing and blocking malicious cyberattacks, and what steps to take after a breach. And of course, training could (and should) include an organization’s cybersecurity policies and procedures, such as no forwarding PHI to personal email accounts.

According to UAMS, the organization requires employees to complete annual HIPAA training. Training that includes proper PHI handling as well as the use of secure (work) email rather than unsecured (personal) accounts. Obviously, given this breach, employee awareness training is not enough on its own. Human error, especially through email, is unfortunately inevitable.

RELATED: How to ensure your employees aren’t a threat to HIPAA compliance

That is why one feature to layer with training is comprehensive email security. And that email security should include email data loss prevention (DLP). Even more so because email is the most utilized threat vector (or entry point) into any system.

Prevent data loss—Paubox Email Suite Premium

Email DLP prevents sensitive data from being accidentally or maliciously sent to unauthorized parties. A good email DLP system will mitigate risks and prevent data breaches. Paubox Email Suite Premium provides this needed email protection.

Our solution includes both inbound and outbound DLP, allowing customers to create their own rules about sending and receiving sensitive information. DLP stops unauthorized employees from transmitting sensitive data outside an organization, so it could have stopped the former UAMS employee from forwarding PHI to a personal account.

Moreover, Paubox Email Suite includes even more protective features to ensure organizational peace of mind. In fact, the Plus and Premium levels come with our patent-pending Zero Trust Email to confirm an email’s legitimacy and patented ExecProtect to intercept display name spoofing attempts.

Don’t ignore the fact that anyone can become the victim of an accidental breach. Rather, proactively protect your organization, your employees, and your patients’ privacy before a mistake can occur.