As 2019 draws to a close, some entities are taking harder look at storing PHI in employee email accounts
Okay, so two exemplars doesn’t prove any kind of trend, but I’m glad to see some entities now taking steps to reduce how much PHI is stored in employee email accounts. Here are two recent incidents, both reported to HHS in December:
Healthcare Administrative Partners (HAP) is a Pennsylvania-based business associate under HIPAA. On December 3, they notified HHS of a data security incident that affected 17,693 patients.
According to their notice, HAP noticed suspicious activity in an employee’s email account on June 26. They promptly changed employee passwords and started to investigate, including bringing in an external consultant. In September, they were able to determine that the employee’s email account included PHI, although they were unable to determine what the attacker actually accessed or viewed. The types of data that were present in the email account included some combination of patient names, addresses, dates of birth, medical record numbers, doctor’s names, prescriptions, and medical diagnosis or limited treatment information.
On October 4, HAP notified their clients/healthcare providers of their findings. Not surprisingly, they do not name their clients, and I am not aware of any covered entity who has disclosed a breach that names Healthcare Administrative Partners.
So let’s turn to what HAP has done to prevent this type of thing from happening again. From their notice:
Since the incident, all passwords have been reset, external emails are now labeled as external, mailbox size restrictions and archiving requirements have been implemented, and HAP is evaluating options for multi-factor authentication and retraining employees on recognizing and responding to suspicious emails.
Okay, I am encouraged by the above.
Now let’s look at Sinai Health System in Illinois. On December 13, they notified HHS of an incident impacting 12,578 patients. As with HAP, employee email had been compromised, although in Sinai’s case, it was two employee email accounts and not just one. In October, their investigation did not find proof of access or exfiltration, but the employee email accounts contained PHI that included patients’ names, addresses, dates of birth, Social Security numbers, health information or health insurance information.
So what did Sinai do in response to this incident to prevent a future incident of this kind? From their notice:
Sinai has taken steps to prevent a similar incident from occurring in the future, including resetting employee email passwords, conducting employee training and enhancing email filtering protocols. Sinai has also reviewed and revised its information security policies and procedures, including email retention procedures. Additionally, Sinai is increasing the security of its email systems and network with the assistance of security experts.
So that’s two entities that seem to have recognized that the amount of data stored in employee email accounts is something that needed to be reassessed and likely reduced.
Hopefully, we’ll see more of these kind of changes sooner rather than later.