Cybersecurity threats are continuing to impact how healthcare organizations operate on a daily basis. Choice Rehabilitation of Creve Coeur, MO, recently experienced this when an unauthorized individual hacked into a corporate email account of one of its employees. The hacker began his email data breach on July 1, 2018 to a personal email account using a mail forwarder and it remained active until September 30, 2018.
After analyzing the email data breach, it revealed that the protected health information (PHI) of certain residents was included in billing documents attached to emails that were sent to its associated nursing facilities.
The email data breach did not expose highly sensitive information like financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth, and contact information. However, billing information related to rehabilitation therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes and the name of the facility where care was provided was unsecured and accessed.
HIPAA regulations set specific guidelines for standards that must be implemented in order to secure protected health information. PHI can be any information used to identify a patient such as names, phone numbers, addresses, Social Security numbers, to name a few.
Healthcare cybersecurity incidents that affect PHI can be considered a HIPAA breach. According to the HIPAA Breach Notification Rule, organizations are required to report all breaches to OCR for an investigation, regardless of the size. Yet, there are specific protocols depending if it is considered a minor or meaningful breach. These investigations will often result in a HIPAA audit and related HIPAA fines if auditors conclude the breach was a result of “willful neglect.”
“Willful neglect” is determined by the effectiveness of a healthcare organization’s HIPAA compliance program mandated by the government. A organization will not be fined for having an email data breach, but they will be fined if they do not have an effective compliance program. HIPAA fines can range from $100-$50,000 per incident depending on the level of perceived neglect. In other words, the less compliant your organization is, the more it will be fined in the event of failing a HIPAA audit.
After discovering the breach, Choice Rehabilitation blocked access to the email account, the mail forwarder was deactivated, and the personal email account used by the attacker was shut down. The other corporate users were also informed about the breach and were reminded of the security safeguards to prevent unauthorized account access. In addition to the current security awareness training, more safeguards have been implemented to improve email and network security and monitoring of corporate email accounts.
According to the Department of Health and Human Services’ Office for Civil Rights breach report, up to 4,309 individuals may have been affected by the incident.
One way you can protect your organization’s PHI is by using encryption. Encryption takes your data or written text/PHI and turns it into unreadable text using software and algorithms. This can protect your data in an event of a breach or theft, and can leave the data useless to anyone who obtains it.
If Choice Rehabilitation abided by the HIPAA Security Rule and implemented encryption as one of the safeguards, it could have protected the content of their emails that were sent out.
