When you think of a HIPAA email breach, generally the breach occurs as the result of a phishing attack. However, the Campbell County Health breach occurred due to something totally unrelated, human error.
How Did the HIPAA Email Breach Occur?
Campbell County Health reported that, on February 5, an employee of the organization accidentally sent an email to the wrong recipient. The email sent to the unauthorized individual included an attachment containing the protected health information (PHI) of 900 patients. PHI that was potentially compromised due to the HIPAA email breach included patient names, type of insurance, and account numbers.
Within an hour of the email being sent, Campbell County Health noticed their mistake, and notified the recipient, and asked them to delete the email. As a result of the incident, and to prevent a similar incident from occurring in the future, Campbell County Health is implementing process changes, and retraining employees on HIPAA best practices.
Emailing PHI Best Practices
- Double check a recipient’s email address before sending sensitive information
- Develop policies and procedures for when PHI is permitted to be communicated via email
- Encrypt email communications, preventing unauthorized access
- Require login credentials to access sensitive attachments
- Train employees on the proper uses and disclosures of PHI
Other Recent HIPAA Email Breaches
As previously mentioned, the majority of HIPAA email breaches are the result of phishing incidents. There were several phishing email breaches that occurred recently, two of which are discussed below.
Grand River Medical Group Email Breach
Grand River Medical Group suffered a phishing attack affecting 34,000 patients. The phishing attack allowed unauthorized access to an employee’s email account that contained spreadsheets with PHI. Information potentially accessed in the HIPAA email breach included patient names, Social Security numbers, dates of birth, addresses, medications, and visit types. Patients affected by the incident received breach notification letters in early February 2021, and will receive one year of complimentary identity theft protection. To prevent similar incidents from occurring in the future, Grand River Medical Group isolated the compromised email account, and reset passwords.
Hackley Community Care Email Breach
Hackley Community Care discovered that an unauthorized party had access to an employee’s email account from September 7 – 24 following a phishing attack. The incident potentially affected 2,500 patients, however, the investigation found no evidence that their data had been misused. Although it is unclear if any PHI was compromised by the incident, patients potentially affected will receive one year of complimentary credit monitoring services. The clinic has also since reset the password for the affected email account.
