Email to provider revealed as the reason for recent Atlanta data breach

A simple error made by an employee sending an email to a contracted provider resulted in the unintentional disclosure of the medical records of 3,000 clients of the Community Care Services Program based in Georgia.

The Community Care Services Program is responsible for helping people at risk of nursing home placement to remain in their communities and is managed by the Department of Human Services Division of Aging Services.

In this instance, it was fortunate that the email was sent to a contracted provider and that the issue was identified and dealt with quickly. The information disclosed included names and certain diagnoses, but no addresses or other personal details such as Social Security Numbers were divulged.

Despite the breach being identified almost immediately with patients being informed of the error soon after, this demonstrates how easy it is for a data breach to occur when using email as the primary method of communication within a healthcare organization. The fact that a breach of this nature occurred suggests that there were limited safeguards in place to prevent emails from being sent to the wrong parties.

Human error is cited as the biggest concern for healthcare providers [link to white paper once published] when it comes to data breaches, and yet using emails to send and receive electronic protected health information, or ePHI, is routine. While the HIPAA Security Rule does not prohibit the use of email for sending ePHI, the standards for access control, integrity and transmission security require organizations to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to ePHI sent and received via email.

Encrypting emails is just one of these requirements, yet a great number of healthcare organizations incorrectly assume that this is sufficient to make their organization HIPAA compliant. However, provisions such as access control, integrity, authentication, transmission security and auditing all need to be taken into consideration to ensure HIPAA compliance.

Access controls, such as usernames and passwords, should be strong and changed frequently. For email logins, passwords should be generated specifically for this purpose and there should be no shared login for any email accounts with access to ePHI. One issue with access control is that staff may be tempted to use the same login information across multiple accounts and devices to make it easy for them to remember login details. In addition to this, access control extends to the servers that emails are being stored on and being transmitted through. Emails may not be stored on a mail server that has implemented technical and physical safeguards as outlined under the HIPAA rules to restrict anyone from accessing stored email messages and ePHI.

Authentication is one of the biggest stumbling blocks with email, as sending to the wrong person can happen so easily. Another prerequisite of authentication is that healthcare organizations must strictly govern and control which employees are granted access to ePHI and at what level. ePHI must be both secured and encrypted in transit and then in storage to ensure only the intended recipients are allowed to access the data. Again, a small error in an email’s recipient field can result in ePHI being shared with employees that do not have the correct access rights to that information. When receiving an email that contains ePHI, it is unlikely that a user has to go through multi-factor authentication before being able to access the data.

Integrity refers to ePHI being protected from being altered or destroyed. It is possible to accidentally delete an email without realizing it and mail servers should be HIPAA compliant to ensure that malicious outsiders are unable to access ePHI at rest or in transit.

Transmission security is another sticking point with email, especially when sending and receiving emails on a mobile device that may be using unsecured networks.

Finally, auditing is a HIPAA requirement and while emails will provide a log of who sent and received them, discovering who accessed the emails and when, presents more of an issue. At a minimum, organizations need to be able to produce detailed login audit trails that include date, time and IP address of each login, as well as all trails of all sent and received messages.

There are more secure ways of transmitting and storing data than email –  limiting the risk of a breach occurring. The Sfax cloud faxing platform restricts access to ePHI using multi-factor authentication, with military grade encryption protecting electronic messages both at rest and during transmission. All documents that are transmitted using Sfax come with full reporting to ensure that detailed audit trails can be provided, so you can be sure of the integrity of your patients’ ePHI.

Find out more about the Sfax cloud faxing today.