by Hoala Greevy Founder CEO of Paubox
Article filed in

4000 Patient Records in New York Breached Due to Nonexistent Email DLP

by Hoala Greevy Founder CEO of Paubox

Email DLP - Paubox

In June 2015, Metropolitan Hospital Center in New York submitted a HIPAA breach notice to the Department of Health and Human Services’ Office for Civil Rights (OCR). As required by law, the hospital was obligated to report all HIPAA breaches involving 500 records or more.

The HIPAA breach was due to an employee emailing nearly 4,000 patient records to his personal email account.

The emailed data contained the following protected health information:

  • Names
  • Medical record numbers
  • Medical diagnoses
  • Physician’s names
  • Sensitive medical information

The HIPAA violation occurred on 15 January 2015 but was not discovered until 31 March 2015. What’s mind boggling to me is that while it’s clear the hospital allocated budget to having some form of Data Loss Prevention (DLP) in place, they monitored their email systems only after the fact. Therefore, the HIPAA breach still occurred and it took them over two months to discover it. I don’t think they got good ROI on their vendor choice for Email DLP.

SEE RELATED: Not Having Email DLP Leads to 90,000 Patient Records Breached

Why Would an Employee Email PHI to Their Personal Account?

Metro Hospital Center in New York could not determine why the employee sent the email with patient PHI to his personal email.

While there was no indication the employee improperly used the information contained in the email, its transmission was unauthorized and represents a HIPAA violation.

How Can Email DLP Help?

Email DLP can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.

In the case of the Metropolitan Hospital Center in New York, a good email DLP solution would have detected when that employee included things like Medical record numbers and Sensitive medical information to a personal account.

Paubox DLP Suite provides the following benefits:

  • Quarantine the outbound email.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts