Prairie Fields Family Medicine has announced that an email error has resulted in the protected health information (PHI) of nearly 6,500 patients being compromised.
Prairie Fields Family Medicine, a family clinic that has been working in Freemont, NE, for 30 years, stated that an unencrypted spreadsheet containing the PHI of 6,450 patients was accidentally sent to the incorrect recipient. As the person who accidentally received the email was unauthorised to see the information, the error constituted a significant data breach. The error was particularly egregious as the spreadsheet was unencrypted, and therefore accessible to anyone.
The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account numbers. The spreadsheet did not contain any financial data or health information typically contained in medical records.
The email containing the unencrypted spreadsheet was sent on October 1, 2018. The error was recognised later that same day. The recipient’s email address was not registered with anyone from the organisation. In an attempt to contain the breach, Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted. No response has been received.
This lack of response has led Prairie Fields Family Medicine investigators to believe the email account is no longer in use by its owner. However, the possibility remains that the spreadsheet was opened by the recipient and that the integrity of the PHI was compromised.
In accordance with HIPAA’s Breach Notification Rule, all patients who were affected by the breach have had a breach notification letter sent to them. As the breach affected more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights has been informed.
Breach investigators working on behalf of Prairie Fields Family Medicine have stated that they have not come across any evidence to imply that any patient health information has been accessed or misused. However, due to the sensitive information contained in the spreadsheet, all affected patients have been advised to check their explanation of benefits statements for suspicious activity. Should they see anything unusual, it is recommended that they contact the relevant authorities immediately.
In response to the breach, Prairie Fields Family Medicine have put additional controls in place to prevent further impermissible disclosures of patients’ protected health information.
This case highlights that fact that even minor employee slip-ups, such as sending an email to the incorrect account, could have serious negative consequences for an organisation and may even result in a HIPAA violation. Although breaches due to cybersecurity issues, such as phishing attempts or ransomware attacks, garner much media attention, accidental breaches are still significant. However, these breaches are more difficult to combat, due to their random nature.
It is recommended that employees undergo regular training to remind them of best practices and company protocols so that the risk of a breach is minimised. All employees should be aware of their responsibilities under HIPAA, and understand the serious consequences that are associated with a HIPAA violation.
