Employee email misuse at South Florida Community Care Network

Featured image

Share this article

Community Care Plan logo

Employee email misuse at South Florida Community Care Network led to a data breach of protected health information (PHI). South Florida Community Care Network, also known as Community Care Plan (CCP), is a provider service network in Broward County, Florida.

Most cyber news focuses on third-party threat actors intent on encrypting or stealing data for malicious reasons. However, employee negligence (i.e., unauthorized access/disclosure) can be just as damaging and frustrating.

RELATED: Compromised employee accounts are an expensive problem according to IBM report

Especially for covered entities and their business associates who must safeguard PHI under the U.S. legislation HIPAA, which protects the rights and privacy of patients.

Whether accidental or deliberate does not matter as healthcare providers must demonstrate their due diligence before any breach occurs.

SEE ALSO: HIPAA compliant email: the definitive guide

What happened?

According to the CCP breach notice, the company was reviewing a former employee’s email on June 21 when it noticed the breach between October 27 and December 28, 2020. The employee had sent internal documents containing PHI from a work email address to a personal account.

Emailing internal documents to a personal account is against CCP’s employee policy as well as HIPAA if personal accounts/devices are not properly protected.

RELATED: Why BYOD protection is important for healthcare

The forwarded emails include names, birth dates, addresses, diagnoses, procedure billing codes and/or types, primary care physician information, and member identification numbers.

CCP had cut access and recovered all company-issued equipment when the former worker’s employment ended. But after the incident, CCP audited all of the employee’s actions to ensure no other activities outside the policy occurred.

There is no evidence of any other activities or malicious intent. But as required under the HIPAA Breach Notification Rule, CCP still notified affected patients of the breach. The U.S. Health and Human Services Breach Portal lists 48,344 affected individuals.

Employee email misuse

Malicious breaches receive more attention than accidental ones, but organizations must be just as wary of employee negligence and unauthorized email use.

In fact, another recent breach in California happened because of a California Department of State Hospitals employee emailing PHI to the U.S. District Court, Eastern District of California.

Federal and state privacy laws, however, prohibit the release of personally identifiable information (PII) and PHI of patients who never filed a lawsuit.

Unfortunately, human error is inevitable, especially within the healthcare industry with its tired and stressed employees.

RELATED: A parallel pandemic hits health care workers: trauma and exhaustion

And even more so because email is the most utilized threat vector (or entry point) into any system. Additionally, an accident could open the door to threat actors looking to take advantage of unknowledgeable employees.

An accidental breach, just like a hack, could cause irreparable damage. It could still be a HIPAA violation which is why it is important to utilize strong cybersecurity.

Essential layers of cybersecurity

An inherent cause of accidental breaches and human error is the lack of proper cyber education. In fact, education was part of the Biden administration’s focus during a recent meeting with top cybersecurity leaders.

Employee awareness training teaches employees about HIPAA compliant defenses, recognizing and blocking malicious cyberattacks, and what steps to take after a breach. And of course, an organization’s cybersecurity policies and procedures, such as no sharing PHI to personal email accounts.

But employee awareness training is not enough on its own. Additional physical, technical, and administrative safeguards must be combined with training for an effective cybersecurity program. Such safeguards include:

  • Access controls (e.g., strong password policies)
  • Encryption and antivirus software
  • Separate backup for sensitive information
  • Patched and up-to-date devices

And of course, email security (i.e., HIPAA compliant email) to effectively combat email breaches.

Always include strong email security

Paubox Email Suite Premium provides needed email protection to stop the most utilized threat vector from being a continuous problem.

With our HITRUST CSF certified solution, all emails are encrypted directly from an existing email platform (such as Microsoft 365 and Google Workspace). It requires no change in email behavior. No extra logins, passwords, or portals.

Paubox Email Suite Premium also comes with ExecProtect (built to block display name spoofing emails) and our new Zero Trust feature, both of which safeguard an inbox from threat actors.

And most importantly, our Premium level comes with data loss prevention (DLP), which stops unauthorized employees from transmitting sensitive data outside an organization. This could have prevented CCP’s HIPAA violation.

RELATED: How to ensure your employees aren’t a threat to HIPAA compliance

A solution that protects healthcare providers from third-party and insider threats is essential. Especially when it comes to safeguarding both PII and PHI from employee email misuse.

Don’t ignore the fact that you could become the victim of an accidental breach. Rather, proactively protect your organization and your patients’ privacy before such mistakes occur.

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022