Email common link in many large HIPAA breaches

Several recent large data breaches involving email mishaps serve as a reminder of precautions that healthcare entities must take with protected health information contained in digital communications that are sent or received by their organizations.

Recent incidents listed on the HHS “wall of shame” include two incidents at the North Carolina Dept. of Health and Human Services. Another reported incident, not yet publicly posted on the HHS website, occurred at the University of Cincinnati Health.

In each North Carolina DHHS breach, discovered about a month apart, employees sent unencrypted email messages containing PHI to other local health departments in North Carolina. One incident affected more than 1,600 individuals, the other about 524 people.

PHI exposed in those incidents include names, Medicaid recipient ID numbers, Social Security numbers, dates of birth, addresses, gender, ethnicity, race, insurance information and healthcare provider names.

Meanwhile, the University of Cincinnati Health says its recent breach, affecting a total of 1,064 individuals, involved email messages that were sent to the wrong domains on nine occasions over a period of about a year.

Common Problems

HIPAA breaches—large and small—involving email are a persistent problem for many healthcare entities. Email is a common source of breaches, as even small errors can potentially translate to massive breaches, particularly if there are unencrypted attachments, such as spreadsheets, containing PHI for lists of patients, as was in the case in both recent North Carolina DHHS email breaches. Data leak prevention tools can be used to stop clear text PHI in emails from being sent to recipients outside of the network and within the network.

Malicious Incidents

Of the 1,390 major HIPAA breaches listed on the wall of shame as of Nov. 19, 116 involve email. Many of these email-related breaches are the result of phishing.

Among the largest hacking incidents listed on the wall of shame involving email is a breach reported earlier this year at South Bend, Indiana-based Beacon Health System. In that incident, the PHI of 220,000 individuals was exposed as a result of phishing attacks on some Beacon Health employees that started in November 2013, leading to hackers accessing “email boxes” that contained patient data. Phishing is definitely a top problem that doesn’t always get the attention it deserves given the scope of the problem.

For instance, the Verizon Data Breach Investigation report for 2015 states that 23 percent of users open phishing emails; 11 percent click on the embedded link. Plus, 50 percent of users open the phishing email within the first hour. Major breaches caused by compromised internal credentials are often the result of a successful phishing attack.

Steps to Take

There are a number of measures that organizations can and should take to reduce the risk of breaches involving email. Data loss prevention tools will likely do the best job to monitor, alert, quarantine for review, forward and encrypt, and/or block based on job role – to enforce corporate appropriate use rules.

Training is also essential. The training should also provide examples and case studies of phishing attempts that succeeded, and the damage they caused. ITPAC can do phishing testing for you and your employees. If you have any questions about how ITPAC can help you safeguard your valuable information and prevent breaches give us a call today.