Employee email misuse at South Florida Community Care Network led to a data breach of protected health information (PHI). South Florida Community Care Network, also known as Community Care Plan (CCP), is a provider service network in Broward County, Florida. Most cyber news focuses on third-party threat actors intent on encrypting or stealing data for malicious reasons. However, employee negligence (i.e., unauthorized access/disclosure) can be just as damaging and frustrating.
Especially for covered entities and their business associates who must safeguard PHI under the U.S. legislation HIPAA, which protects the rights and privacy of patients. Whether accidental or deliberate does not matter as healthcare providers must demonstrate their due diligence before any breach occurs.
According to the CCP breach notice, the company was reviewing a former employee’s email on June 21 when it noticed the breach between October 27 and December 28, 2020. The employee had sent internal documents containing PHI from a work email address to a personal account. Emailing internal documents to a personal account is against CCP’s employee policy as well as HIPAA if personal accounts/devices are not properly protected.
The forwarded emails include names, birth dates, addresses, diagnoses, procedure billing codes and/or types, primary care physician information, and member identification numbers. CCP had cut access and recovered all company-issued equipment when the former worker’s employment ended. But after the incident, CCP audited all of the employee’s actions to ensure no other activities outside the policy occurred. There is no evidence of any other activities or malicious intent. But as required under the HIPAA Breach Notification Rule, CCP still notified affected patients of the breach. The U.S. Health and Human Services Breach Portal lists 48,344 affected individuals.
Employee email misuse
Malicious breaches receive more attention than accidental ones, but organizations must be just as wary of employee negligence and unauthorized email use. In fact, another recent breach in California happened because of a California Department of State Hospitals employee emailing PHI to the U.S. District Court, Eastern District of California. Federal and state privacy laws, however, prohibit the release of personally identifiable information (PII) and PHI of patients who never filed a lawsuit. Unfortunately, human error is inevitable, especially within the healthcare industry with its tired and stressed employees.
And even more so because email is the most utilized threat vector (or entry point) into any system. Additionally, an accident could open the door to threat actors looking to take advantage of unknowledgeable employees. An accidental breach, just like a hack, could cause irreparable damage. It could still be a HIPAA violation which is why it is important to utilize strong cybersecurity.
Essential layers of cybersecurity
An inherent cause of accidental breaches and human error is the lack of proper cyber education. In fact, education was part of the Biden administration’s focus during a recent meeting with top cybersecurity leaders. Employee awareness training teaches employees about HIPAA compliant defenses, recognizing and blocking malicious cyberattacks, and what steps to take after a breach. And of course, an organization’s cybersecurity policies and procedures, such as no sharing PHI to personal email accounts. But employee awareness training is not enough on its own. Additional physical, technical, and administrative safeguards must be combined with training for an effective cybersecurity program. Such safeguards include:
- Access controls (e.g., strong password policies)
- Encryption and antivirus software
- Separate backup for sensitive information
- Patched and up-to-date devices
Always include strong email security
Paubox Email Suite Premium provides needed email protection to stop the most utilized threat vector from being a continuous problem. With our HITRUST CSF certified solution, all emails are encrypted directly from an existing email platform (such as Microsoft 365 and Google Workspace). It requires no change in email behavior. No extra logins, passwords, or portals.
Paubox Email Suite Premium also comes with ExecProtect (built to block display name spoofing emails) and our new Zero Trust feature, both of which safeguard an inbox from threat actors. And most importantly, our Premium level comes with data loss prevention (DLP), which stops unauthorized employees from transmitting sensitive data outside an organization. This could have prevented CCP's HIPAA violation.
A solution that protects healthcare providers from third-party and insider threats is essential. Especially when it comes to safeguarding both PII and PHI from employee email misuse. Don’t ignore the fact that you could become the victim of an accidental breach. Rather, proactively protect your organization and your patients' privacy before such mistakes occur.