Paubox blog: HIPAA compliant email made easy

Not having email DLP leads to 90,000 patient records breached

Written by Hoala Greevy | May 23, 2017

 

In April 2015, the New York City Health & Hospitals Corporation’s (HHC) Jacobi Medical Center reported 90,060 patient records were breached when an employee emailed the records to her personal email account. In addition, she also cc'd her new employer. The email was sent shortly before the employee left HHC Jacobi Medical Center to work for another healthcare provider.

The emailed data contained the following patient protected health information ( PHI):

  • Names
  • Addresses
  • Telephone numbers
  • Medical record numbers
  • Health insurance information
  • Treatment dates
  • Medical services received
  • Social Security Numbers

 

Although the Jacobi Medical Center automatically monitored communications sent containing PHI, they did so on a reactive basis. In other words, while their systems detected the email breach, they did so after the fact and did not actually block the email from being sent.

 

Why Would an Employee Email PHI to Their Personal Account?

In this instance, it seems the employee believed there would be commercial or career benefit by emailing over 70,000 patients records to both her personal email account and that of her new employer. Insurance information, Social Security Numbers and Personally Identifiable Information (PII) were included in the emailed data. This data is precisely what an identity thief would need to obtain loans, credit cards, make false insurance claims and commit medical fraud.

SEE ALSO: Lack of Email DLP causes HIPAA Violation in California

 

How Can Paubox Suite Premium Help?

Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators. Taking Jacobi Medical Center as an example, a robust email DLP solution would have detected when that employee included things like thousands of Social Security Numbers in an email. In the case of Paubox Suite Premium, we would:
  • Quarantine the outbound emails and not allowed them to reach the intended recipients.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

 

SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts

 

Try Paubox Email Suite Premium for FREE today.