Email DLP can curb automatic email forwarding rules

Featured image

Share this article

Email DLP - Paubox

Earlier this year, Health Department officials in Multnomah County, Oregon discovered an employee set up an automatic mail forwarder that resulted in a HIPAA violation. The employee in question configured their work email account to automatically forward all email to a personal Gmail account.

As we’ve previously covered, when it comes to Gmail and HIPAA compliance, the two don’t mix. In a nutshell, Google is willing to sign a Business Associate Agreement (BAA) for use with some, but not all, of their services.

Google does not offer a BAA for Gmail.com accounts.

SEE RELATED: How to Make Gmail HIPAA Compliant

The employee who committed the HIPAA violation works in the Multnomah County Health Department. That means emails sent to that person’s work email were automatically forwarding the following protected health information (PHI):

  • Names
  • Ages
  • Medical record numbers
  • Medical diagnoses
  • Dates of service
  • Medication names
  • Prescription numbers

The HIPAA violation was found during a random audit in November 2016. A subsequent internal investigation found that:

  • The email forwarding occurred for over four years (Aug 2012 – Nov 2016).
  • PHI for about 1700 patients was exposed.
  • There was no evidence that the forwarded emails were read, forwarded or sold to another party.
  • Social Security numbers, home addresses, or phone numbers were not present in the forwarded emails.

Although the County confirmed that the gmail account had deleted, the possibility that PHI was inappropriately accessed could not be ruled out.

Why Would an Employee Forward PHI to Their Personal Account?

It is unclear why the emails were forwarded to the employee’s gmail account. Although it may have been an innocent mistake, it still represents a HIPAA violation.

How Can Paubox Suite Premium Help?

Paubox Suite Premium offers Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.

In the case of Multnomah County, a good email DLP solution would have detected when that employee included things like Medical record numbers, Medication names and Medical diagnoses to a personal account.

In the case of Paubox Suite Premium, we would:

  • Quarantine the outbound email.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

SEE ALSO: Lack of Email DLP causes HIPAA Violation in California

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022