Not having email DLP leads to 90,000 patient records breached

Featured image

Share this article

Email DLP - Paubox

In April 2015, the New York City Health & Hospitals Corporation’s (HHC) Jacobi Medical Center reported 90,060 patient records were breached when an employee emailed the records to her personal email account. In addition, she also cc’d her new employer. The email was sent shortly before the employee left HHC Jacobi Medical Center to work for another healthcare provider.

The emailed data contained the following patient protected health information (PHI):

  • Names
  • Addresses
  • Telephone numbers
  • Medical record numbers
  • Health insurance information
  • Treatment dates
  • Medical services received
  • Social Security Numbers

Although the Jacobi Medical Center automatically monitored communications sent containing PHI, they did so on a reactive basis. In other words, while their systems detected the email breach, they did so after the fact and did not actually block the email from being sent.

Why Would an Employee Email PHI to Their Personal Account?

In this instance, it seems the employee believed there would be commercial or career benefit by emailing over 70,000 patients records to both her personal email account and that of her new employer.

Insurance information, Social Security Numbers and Personally Identifiable Information (PII) were included in the emailed data. This data is precisely what an identity thief would need to obtain loans, credit cards, make false insurance claims and commit medical fraud.

SEE ALSO: Lack of Email DLP causes HIPAA Violation in California

How Can Paubox Suite Premium Help?

Paubox Suite Premium includes Email DLP features, which can prevent HIPAA violations by scanning outbound email to detect the presence of protected health information and other indicators.

Taking Jacobi Medical Center as an example, a robust email DLP solution would have detected when that employee included things like thousands of Social Security Numbers in an email.

In the case of Paubox Suite Premium, we would:

  • Quarantine the outbound emails and not allowed them to reach the intended recipients.
  • Send an email alert to the DLP administrator.
  • Optionally send an email alert to the sender notifying them their email got quarantined.

SEE ALSO: Email DLP can Monitor PHI Being Sent to Personal Accounts

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022