The NYC Health and Hospitals Corporation is providing some powerful reminders of the importance of auditing and monitoring employee emails.
Last month, I noted that they had detected breaches involving patients at Bellevue Hospital and Jacobi Medical Center. On June 1, HHC notified HHS of yet another email-related breach, this one involving Metropolitan Hospital Center. From their notification:
FOR IMMEDIATE RELEASE
June 1, 2015
Notification of Possible Personal Health Information Disclosure
The New York City Health and Hospitals Corporation (HHC) this week began to notify 3,957 HHC patients who received services at Metropolitan Hospital Center (Metropolitan) about the disclosure of some of their personal and/or protected health information (PHI) when an e-mail file that contained PHI (including some sensitive patient information) was improperly sent by a Metropolitan employee to his personal email account. A sample notification to the affected patients is attached explaining in greater detail the occurrence.
As indicated in the notice to the patients, there is no evidence to suggest that the subject file was received or viewed by anyone other than the single employee recipient, who was authorized to receive the PHI but was not authorized to transmit it to his personal email account. There is no evidence to suggest that the PHI contained in the e-mail file was misused or disclosed in any manner. The employee responsible for sending the e-mail has been terminated from employment with Metropolitan.
Consistent with federal regulatory requirements, HHC notified the federal oversight agency and initiated action to mitigate the risk presented by the unauthorized communication.
Based on actions taken by HHC, the email files in question have since been deleted from all known unauthorized sites to which they were sent and there is no basis to believe that they were forwarded to any other site before deletion.
Nonetheless, HHC has taken decisive steps to protect the individuals who are potentially affected, and through third-party vendor Kroll is offering free credit monitoring and identity protection services for one year to those patients whose medical records may have been improperly disclosed. HHC has also set up a toll-free hotline to provide additional information. Notifications will also be posted on the HHC website and will be distributed to news outlets.
HHC has taken immediate measures to prevent an incident of this nature from recurring in the future. One of these measures include the automatic blocking of communications containing PHI and other personal information from being sent from HHC to any unauthorized site/entity outside of the HHC security network unless for a legitimate business purpose.
After three e-mail breaches in a short timeframe, I’d say such measures were definitely in order.