In April 2015, the New York City Health & Hospitals Corporation’s (HHC) Jacobi Medical Center reported 90,060 patient records were breached when an employee emailed the records to her personal email account. In addition, she also cc’d her new employer. The email was sent shortly before the employee left HHC Jacobi Medical Center to work for another healthcare provider.
The emailed data contained the following patient protected health information (PHI):
- Telephone numbers
- Medical record numbers
- Health insurance information
- Treatment dates
- Medical services received
- Social Security Numbers
Although the Jacobi Medical Center automatically monitored communications sent containing PHI, they did so on a reactive basis. In other words, while their systems detected the email breach, they did so after the fact and did not actually block the email from being sent.
Why Would an Employee Email PHI to Their Personal Account?
In this instance, it seems the employee believed there would be commercial or career benefit by emailing over 70,000 patients records to both her personal email account and that of her new employer.
Insurance information, Social Security Numbers and Personally Identifiable Information (PII) were included in the emailed data. This data is precisely what an identity thief would need to obtain loans, credit cards, make false insurance claims and commit medical fraud.
How Can Email DLP Help?
Email DLP can prevent such incidents by scanning outbound email to detect the presence of protected health information and other indicators.
Taking Jacobi Medical Center as an example, a robust email DLP solution would have detected when that employee included things like thousands of Social Security Numbers in an email.
In the case of Paubox DLP Suite, we would:
- Quarantine the outbound emails and not allowed them to reach the intended recipients.
- Send an email alert to the DLP administrator.
- Optionally send an email alert to the sender notifying them their email got quarantined.