The HIPAA violation was uncovered during an internal search for email correspondence between its staff and insurance carriers.
The emailed spreadsheets contained:
- Dates of birth
- Details of healthcare benefits
- Social Security Numbers
The PHI contained in those email attachments affected a wide swath of Illinois government employees and appears to have taken place over a span of three years (2011-2013).
Those impacted include current and former employees of:
- Village of Oak Park
- Oak Park Library
- Oak Park Township
- The Park District of Oak Park
- The West Suburban Consolidated Dispatch Center
Why Would an Employee Forward PHI to Their Personal Account?
Village of Oak Park could not determine why the employee sent the email attachments to their personal email.
Although both internal and criminal investigations concluded that the data had not be abused or sold to third parties, it still represented a HIPAA violation. Since there was no legitimate reason for the PHI to be emailed to a personal email account, the employee was terminated.
How Can Paubox Email DLP Suite Help?
Email DLP can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.
In the case of Village of Oak Park, a good email DLP solution would have detected when that employee included things like Social Security Numbers and dates of birth to a personal account.
Paubox DLP Suite provides the following benefits:
- Quarantines the outbound email.
- Sends an email alert to the DLP administrator.
- Optionally sends an email alert to the sender notifying them their email got quarantined.