According to Houston Health, the breach was due to a technical issue with its patient portal rather than malicious intent. Many covered entities choose to use a portal for communication, but patient portals aren’t as secure as believed; HIPAA compliant email is a safer bet.
What happened at Houston Health?
Houston Health first alerted patients of its breach on February 24. It discovered the issue within a portal on January 6 and immediately deactivated the system for 48 hours. The subsequent investigation found that a technical issue within the patient portal linked user accounts together, sharing patient information. Exposed PHI included COVID-19 test dates and results as well as:
- Email addresses
About 3,500 portal users had access to 10,000 test results.
The Office for Civil Rights lists the breach on its Breach Notification Portal as an unauthorized access/disclosure affecting 10,291 individuals. There was no evidence of malicious intent or data misuse. Houston Health’s breach alert ended with: “Additional processes have been implemented to ensure this incident does not reoccur.”
To portal or not to portal
A patient portal is a healthcare-related online app that allows patients to securely communicate with healthcare providers. Portals are available 24 hours a day, and patients can access their PHI at their convenience.
Portals ask patients to use a different website or download an app and create a separate login to access a separate system. They seem like an easy, secure solution, but as we have written in past blogs, this is not the case.
Hackers can still compromise the portal login, which in and of itself is an annoyance to patients. And obviously, something as simple as a technical issue (like Houston Health’s) can expose PHI. Standalone portals aren’t the best solution for safeguarding sensitive information.
Why email is better than patient portals
Part of the reason healthcare organizations began to use portals is to increase patient engagement. But studies indicate patient engagement through email is better. More than 1 in 3 patients reported that email helped them avoid an unnecessary doctor’s visit.
In fact, the same number of patients reported that email communication with their provider improved their overall health. But that does not necessarily make email communication more secure. Strong encryption that keeps PHI safe in transit and at rest does.
SEE ALSO: How to make your email HIPAA compliant
Ultimately HIPAA compliant email is a safer, simpler, more convenient, and more effective communication tool. It keeps messages and PHI protected, helping covered entities avoid unsecured breaches and HIPAA violations.
Paubox Email Suite Plus means solid email security
Paubox Email Suite seamlessly employs strong email security to keep communication HIPAA compliant. Employees and patients don’t need extra passwords or logins. No portals or prerequisites to ensure patients have control over their health.
Our HITRUST CSF certified solution encrypts all outbound email. And better yet, messages can be sent directly from an existing email platform such as Microsoft 365 or Google Workspace. And Paubox Email Suite Plus provides even more inbound security with robust spam, malware, and phishing protection.
Houston Health accidentally caused its recent portal breach, exposing PHI and causing a HIPAA violation. Something that could have been avoided in the first place with HIPAA compliant email like Paubox Email Suite.