Mississippi Medicaid Website Transmitted Unencrypted Email

Unsecure Email Incident a Reminder of Risks to PHI

A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides, including website forms used to collect information and smartphone apps.

According to the HHS “Wall of Shame”, the Mississippi Division of Medicaid reported on May 26, 2017 to the U.S. Department of Health and Human Services the unauthorized access/disclosure incident that affected about 5,220 individuals.

In a statement, Mississippi DOM stated that on April 7, 2017, DOM officials became aware of an issue with the online service that the agency used to create forms posted to the DOM’s website. “Once an online form was submitted, the information was also emailed to designated staff within the agency. The email containing the information was not transmitted in a secure manner (i.e. encrypted). This resulted in the possible exposure of information that may have been entered into certain online forms.”

Once the error was discovered, the online forms were immediately removed from the website and the use of the online form service was terminated.

The incident may have involved names, birth dates, addresses, phone numbers, email addresses, admission and enrollment dates, health insurer, condition, Social Security numbers, and Medicare and/or Medicaid identification numbers.

Potential Risks

Some security and privacy experts acknowledge that the likelihood of the DOM email being compromised during transmission is low.

Nevertheless, using encryption helps ensure that messages sent to the wrong recipients cannot be viewed. Criminals are more likely to try to compromise an email system that contains unencrypted messages.

Many more covered entities and business associates are becoming more aware of email-related security risks. Risk or privacy impact assessments should highlight whether “clear text” emails are generated through such things as website forms, used on sites to collect information from insurers or patients, or by using various types of smartphone apps.

This issue may be overlooked due to when organizations are addressing email security, they tend to focus only on their email servers and services.

Based on Mississippi DOM’s description of the incident, it seems to be more of system or application issue than a person failing to encrypt. That highlights the need to ensure that due diligence is completed on any tech solutions or apps to ensure that they have necessary safeguards.

The best situation is to set up email to automatically encrypt, based on trigger words appearing in the subject line or a lexicon detecting certain data in the message such as Social Security numbers, credit card information, medical record numbers, and other PHI.

Potential security risks involving email containing PHI:

  • Sending or receiving email on unsecured public networks
  • Insiders “sniffing” their employers’ networks to capture communications
  • Spoofed phishing emails
  • Fax transmittals of documents containing PHI that get automatically forwarded to email inboxes unencrypted
  • Lost or stolen computing devices that contain unencrypted email

If you have questions about the security of your email system, forms submitted online, or any other aspect of your IT system call ITPAC today