Lack of email DLP causes HIPAA violation in California

Featured image

Share this article

Email DLP - Paubox

In 2015, Hillsides issued a press release alerting the public it became aware of a HIPAA violation caused by one of its employees.

The employee in question had been using their work email to send protected health information to their personal email address.

On at least five occasions between October 2014 and October 2015, the employee sent unencrypted email attachments to their personal email account containing:

  • Employee Names
  • Social Security Numbers
  • Home addresses
  • Phone numbers
  • Birthdates
  • Genders
  • Medical identification numbers
  • Therapists’ names
  • Patient names

This included 468 staff and 502 clients of Hillside.

To make matters worse, Hillsides was unable to recover the data from the employee’s personal email account. They were also unable to verify if the files were deleted in the first place. As you can imagine, the employee was terminated for violation of company policy.

Why Would an Employee Email PHI to Their Personal Account?

When healthcare data is emailed in such volume to a personal email account, the negligent employee usually does so with nefarious motives. These include:

  • Using the information for personal gain when they change employer.
  • Selling the data to identity thieves.
  • Committing fraud or identity theft.

Due to the vast amount of personally identifiable information that was stolen in this case, committing fraud or identity theft would unfortunately be fairly straight-forward.

How Can Paubox Suite Premium Help?

Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.

In the case of Hillsdale, a good email DLP solution would have detected when that employee included things like Social Security Numbers in an email attachment to a personal account.

In the case of Paubox Suite Premium, we would:

  • Quarantine the outbound email.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

About Hillsides

Hillsides is a child welfare agency based in Pasadena, CA. They are dedicated to improving the overall well-being and functioning of vulnerable children, youth, and their families.

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022