Multnomah County notified 1,700 patients after discovering employee was forwarding emails to personal account

Posted on by Dissent

From Multnomah County, Oregon:

January 20, 2017

On August 24, 2012, a Health Department employee began automatically forwarding all emails received in the employee’s county email account to a personal Google email account not maintained by the county. Some of these emails included protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA) were forwarded.

Multnomah County personnel discovered the incident on Nov. 22, 2016 during a random audit. The county started an investigation and began collecting further information about what happened. During that investigation, the county found no evidence that messages in the personal email account were opened are read. Upon completing the investigation, county personnel verified that the personal email account was deleted and no longer accessible to the employee.

Because the employee was a member of a Health Department team, some emails had attachments with protected health information. The information disclosed may have included your first and last name, medical record number, medication name, prescription number, diagnosis, date of service and/or age.

The County has not found any indication that any Social Security number, home address or phone number was included. Because none of the messages in the employee’s personal email account appear to have been accessed, we believe there is a low risk that your information was further disclosed. However, the personal email account is maintained by Google and not the county. We are not aware of any other inappropriate uses or disclosures of your personal information.

Multnomah County and the County Health Department are committed to keeping your personal information private and we take many steps to protect it. We have policies and procedures for handling personal information which were reviewed with the staff member involved in this incident. We are also reviewing controls, business practices and policies to increase protections of personal information in response to this incident. We sincerely regret any inconvenience or worry this incident presents to you.

If you have questions or concerns about this letter, please contact us at 1-877-422-7676 and state case #1322 after the beep.

The incident was reported to HHS as impacting 1,700 patients.


Related:

Category: Government SectorHealth DataInsiderU.S.