4000 patient records in New York breached due to nonexistent email DLP

Featured image

Share this article

Email DLP - Paubox

In June 2015, Metropolitan Hospital Center in New York submitted a HIPAA breach notice to the Department of Health and Human Services’ Office for Civil Rights (OCR). As required by law, the hospital was obligated to report all HIPAA breaches involving 500 records or more.

The HIPAA breach was due to an employee emailing nearly 4,000 patient records to his personal email account.

The emailed data contained the following protected health information:

  • Names
  • Medical record numbers
  • Medical diagnoses
  • Physician’s names
  • Sensitive medical information

The HIPAA violation occurred on 15 January 2015 but was not discovered until 31 March 2015. What’s mind boggling to me is that while it’s clear the hospital allocated budget to having some form of Data Loss Prevention (DLP) in place, they monitored their email systems only after the fact. Therefore, the HIPAA breach still occurred and it took them over two months to discover it. I don’t think they got good ROI on their vendor choice for Email DLP.

SEE RELATED: Not Having Email DLP Leads to 90,000 Patient Records Breached

Why Would an Employee Email PHI to Their Personal Account?

Metro Hospital Center in New York could not determine why the employee sent the email with patient PHI to his personal email.

While there was no indication the employee improperly used the information contained in the email, its transmission was unauthorized and represents a HIPAA violation.

How Can Paubox Suite Premium Help?

Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.

In the case of the Metropolitan Hospital Center in New York, a good email DLP solution would have detected when that employee included things like Medical record numbers and Sensitive medical information to a personal account.

Paubox Suite Plus provides the following benefits:

  • Quarantine the outbound email.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022