Email is the second most common breach location, affecting 108,199 individuals. The combination of human error, inadequate encryption, and the systematic use of email in healthcare settings contributes to its frequent occurrence.
Common reasons for breaches via email
Human error and lack of awareness
One of the primary reasons for email breaches is human error, with at least 85% of data breaches in organizations attributable to individual mistakes. Employees may inadvertently send emails containing protected health information (PHI) to the wrong recipients. This mistake could happen due to autocomplete errors in email addresses or an oversight in choosing the correct recipient. Lack of awareness or inadequate training regarding HIPAA guidelines and the sensitivity of patient data can contribute to these errors.
Insufficient encryption and security measures
There has been a 24% increase in hacking and IT-related incidents observed in the third quarter of 2023. Many breaches occur due to emails being sent without proper encryption. Insecure email systems or lack of encrypted communication channels can leave patient data vulnerable to interception or unauthorized access.
Phishing attacks and social engineering
Phishing attacks often involve cybercriminals posing as trustworthy entities in an attempt to deceive individuals into revealing sensitive information. Email is the most frequently used vector for these attacks because of its ubiquity in personal and professional communication.
In phishing emails, attackers often craft messages that appear to come from legitimate organizations, such as banks, service providers, or popular online platforms. These messages typically contain urgent or alarming statements designed to prompt immediate action, such as clicking on a link or downloading an attachment, which can lead to malicious consequences.
The healthcare industry is a prime target for phishing attacks due to the vast amounts of sensitive patient information it manages. This data, which includes personal identifiers, medical histories, and payment information, is highly valued on the black market.
Diverse device usage and remote work
The proliferation of various devices for accessing emails and the rise of remote work have increased the challenge of securing email communications. Devices that lack adequate security measures or are not regularly updated might be vulnerable to breaches.
Lack of clear policies and procedures
Sometimes, organizations might have inadequate or ambiguous policies and procedures regarding email communications. The absence of clear guidelines on how to handle PHI in emails can lead to mistakes and unintentional breaches. Even organizations with air-tight policies and breach prevention procedures can experience a HIPAA breach because of a business associate. Business associates were implicated in about 47% of all breach incidents.
Unsecure networks and Wi-Fi
Sending emails containing patient information over unsecured networks or public Wi-Fi without proper encryption can expose the data to potential interception by unauthorized parties. Breaches related to these incidents amounted to 47 data breaches occur as a result of network servers in September 2023.
Misuse of forwarding and auto-save features
Employees might inadvertently forward sensitive patient information to unintended recipients or have PHI saved in drafts or auto-save features, risking exposure.
How to avoid email HIPAA breaches
Implement secure email solutions: Utilize HIPAA compliant email services that offer encryption, ensuring patient information remains secure during transmission.
Vendor risk management: Monitor and evaluate the security practices of third-party vendors, ensuring they adhere to robust security measures and comply with HIPAA standards when handling patient data.
Automated monitoring and response systems: Implement systems to monitor email traffic for potential threats, enabling quick detection and immediate response to any identified security risks or breaches.
Employee accountability and reporting: Encourage a culture of responsibility and accountability, prompting employees to report any potential security incidents or breaches promptly.
Privacy impact assessments: Conduct regular privacy impact assessments to identify potential risks in email communications and ensure compliance with evolving privacy and security standards.
Centralized incident reporting and analysis: Centralize incident reporting systems to efficiently record, investigate, and analyze email-related security incidents for continuous improvement and learning.
Understanding HIPAA violations
- Tier 1 - No knowledge of violation: The involved party had no knowledge of the HIPAA violation.
- Tier 2 - Reasonable cause without willful neglect: Violations occur due to reasonable cause but not because of willful neglect.
- Tier 3 - Willful neglect with corrective action: Violations are due to willful neglect but were corrected within the required time frame.
- Tier 4 - Willful neglect without correction: Involves willful neglect leading to violations not corrected within the stipulated time.
Go deeper:
Kirsten Peremore
