Employee Email Misuse Puts Patient PHI in Jeopardy in CA, FL

September 10, 2021 - Employee email misuse led to patient protected health information (PHI) being compromised in two recent healthcare data breaches, one in California and the other in Florida.

As ransomware attacks increase across the healthcare sector, organizations should also be wary of unauthorized email use and employee negligence, both of which can have equally damaging effects on healthcare entities and patients.

South Florida Community Care Network, also known as Community Care Plan (CCP), began notifying 48,344 patients of a breach involving an employee sending internal documents containing PHI to their personal email address.

CCP began reviewing a former employee’s email account on June 21, 2021, and discovered that the employee had been sending internal documents to their personal email address between October 27, 2020, and December 28, 2020.

“We found no evidence the employee was acting outside of their job duties in working with this information,” the statement explained.

However, emailing internal documents to a personal account goes against the health plan’s employee policy. On June 21, CCP determined that the documents contained plan member information.

Further investigation revealed that the documents contained birthdates, names, addresses, diagnoses, procedure billing codes, primary care physician information, and member identification numbers.

CCP said that it immediately stopped the former employee’s email access at the time their employment ended, recovered company-issued equipment from the employee, and audited their actions to ensure compliance with CCP policies.

Although no Social Security numbers were impacted, CCP is also providing complimentary credit monitoring to impacted individuals.

Similarly, the California Department of State Hospitals (DSH) recently announced that an employee at Coalinga State Hospital had provided confidential information on about approximately 1,738 current and former patients to the US District Court, Eastern District of California three times between 2013 and 2019.

The breach occurred on July 21, 2013, October 12, 2016, and August 27, 2019. The employee provided the court with patient rosters containing names, case numbers, birthdates, admission dates, unit numbers, gender, and legal commitments. The information allowed the court clerk to determine whether certain patients were eligible for fee waivers for filing a lawsuit.

“While it is not a breach of patient privacy to provide a patient’s name and other confidential information to the court for the purpose of providing a public benefit, DSH must abide by federal and state privacy laws, which prohibit releasing personally identifiable information and protected health information of patients who never filed a lawsuit with the court,” the statement emphasized.

“These laws also prohibit providing more than the minimum amount of information necessary for the provision of the public benefit of determining eligibility for filing fee waivers.”

DSH discovered the breach on August 12, 2021, when the court contacted DSH requesting an updated patient roster. DSH has since received confirmation that the patient rosters were not released beyond court personnel and the court destroyed all copies of the rosters.

“DSH is notifying the patients and former patients who are affected by this breach and providing them with information about medical privacy,” the statement maintained.

“In fiscal year 2018/2019, DSH received funding and has since implemented a statewide privacy program to provide employees with further clarity, education, and awareness regarding data protection.”

Malicious cybercriminals remain at large, and many healthcare entities are continuing to make software upgrades and protect themselves against common vulnerabilities. But educating employees on proper cyber hygiene is equally crucial.

Employee email misuse does not necessarily mean that the employee had malicious intent. But when healthcare entities fail to educate employees on common cyber hygiene tactics, it opens the door to bad actors.

The Biden Administration recently met with top cybersecurity leaders from Apple, Amazon, Google, and more to discuss nationwide cybersecurity initiatives. The initiatives maintain a strong focus on education.

Google committed to training 100,000 individuals on cybersecurity-focused digital skills certificates, and IBM pledged to train 150,000 individuals in cybersecurity skills over the next three years.

Employee cybersecurity education is a crucial step in safeguarding private data from hackers.

As other industries increase their focus on cybersecurity education, healthcare may want to follow suit. Hospital cybersecurity ratings historically lag behind most other industries. Even as ratings improve, the healthcare sector remains one of the most vulnerable industries when it comes to data breaches.