The New Hampshire-based clinic recently disclosed a HIPAA data breach.
What happened
Littleton Regional Healthcare, a regional clinic in New Hampshire with over 500 staff members, recently announced a data breach. The breach occurred on January 2nd, 2024, and was announced to the public on February 29th. Littleton shared that the root of the breach was an unsecured email.An individual inadvertently sent an unprotected email to another person. The email contained the names and birth dates of over 500 patients. The recipient contacted Littleton as soon as the email was discovered. The email was promptly deleted.
Littleton believes there was no malicious intent; no information was further shared, published, or stolen. After an investigation, the hospital stated they are implementing a corrective action plan for involved employees. The team is also reviewing its operating systems to prevent future disclosures. No other personal information, like Social Security numbers, health plan information, or health records was shared.
What was said
As part of their corrective action plan, Littleton said they will review all policies and procedures. Furthermore, the hospital said, “Additional training is being conducted to reduce the likelihood of a similar event occurring in the future.”
In the breach notification letter released on March 1st, Littleton said, “We are very sorry this occurred and sincerely regret this accidental disclosure. We consider the privacy of your medical information to be of utmost importance, and we strive to maintain it in a secure manner. We are committed to providing quality care and protecting your personal information and we want to assure you that we have policies and procedures to protect your privacy.”
Why it matters
While many hospitals have robust security systems, human errors can be difficult to avoid. With many hospital workers feeling overwhelmed, it can be challenging to remember small–but critical–steps regarding sharing data.
Erroneously sharing information via email is a surprisingly common problem. Many email encryption services require senders to check boxes, create passcodes, or complete other tasks to ensure an email is sent securely. These systems always leave room for error.
A recent study showed that employees are especially vulnerable to these incidents, likely because they have many job duties outside of sending protected emails. In a 2023 study, nearly 50% of hospital workers shared that their cybersecurity training was insufficient. 22% said that security protocols were not enforced.
Read more: New survey reveals gap in cybersecurity implementation
The big picture
Breaches caused by human error are not inevitable; in fact, they can easily be prevented with the right technology.
Paubox automatically encrypts every email, meaning that employees will never have to opt into encryption, set up passwords, or do anything different than they would to send a normal email. It may seem like one small step, but it can save a hospital’s reputation and ensure HIPAA compliance is always being met.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
