From email data breach to wall of shame: Don’t let it happen to you

Posted: Aug 21, 2018
Share This:

Email data breaches are an all too common occurrence in healthcare. Analysis of recent data breaches by HIPAA Journal revealed that email was the second most common location of breached electronic protected health information (ePHI) in March 2018, closely following portable electronic devices (laptops /other portable devices) as the number one cause – these email breaches included both user error (such as misdirected emails) and malicious incidents (such as phishing).

A recent case involving Texas Health Physicians Group highlights the vulnerability of healthcare organizations when it comes to email security. The company recently disclosed that an unauthorized third party gained access to some of its email accounts, resulting in a data breach that affected 3,808 patients.

An official statement posted on the company’s website read, “On January 17, 2018, law enforcement advised us that an unauthorized third party may have gained access to some Texas Health email accounts in October 2017. Law enforcement indicated this was part of a larger incident affecting multiple entities across the country and did not just affect Texas Health entities and patients.”

The company concluded by saying, “We deeply regret any inconvenience or concern this may cause our patients. To help prevent something like this from happening in the future, Texas Health is continuously working to implement safeguards and enhance information security monitoring.”

Breaches of PHI can be catastrophic for the organizations affected, both financially and operationally speaking. While retrospective corrective actions can help prevent similar incidents from occurring in the future, there’s no hiding from what’s already happened in the past.

The wall of shame

Under the HITECH Act, The U.S. Department of Health and Human Services (HHS) is required to publish all breaches of unsecured PHI affecting 500 or more individuals on its public breach portal web page – more commonly known within the industry as “the wall of shame”. The page lists all breaches reported within the past 24 months that are currently under investigation by the Office for Civil Rights (OCR), and includes information such as company name, location, type of data breach, and number of individuals affected.

The 24 month duration actually represents a policy change implemented in 2017, because previously there was no expiration date. The new policy moves older and ‘resolved’ breaches to a separate archive tab, where they presumably will remain accessible forever.

For Texas Health Physicians Group breach, having a place on the wall of shame’s first page will be a tough pill to swallow, but it does serve as a stark reminder to other organizations of the reputational damage that large scale data breaches of this nature can inflict.

A secure alternative to email

At time of writing, over 400 companies are listed on the wall of shame, and a quarter of the breaches that got them there can be tied back to email. Evidently, organizations are failing to protect themselves from the risks associated with unsecure email accounts, and they’re paying the price for it.

The solution is to eliminate the use of email for communicating ePHI and instead utilize a secure alternative such as cloud fax when exchanging sensitive information online. Sfax cloud faxing solution allows employees to efficiently and securely send and receive faxes the same way they email, which makes for an easy transition and causes minimal disruption to workflow. To find out more, visit