HIPAA Privacy Violations are now coming courtesy of Phishing! The latest twist in HIPPA Privacy violations came up in May 2014, when it was revealed that a phishing operation aimed at the email accounts of physicians at at least two Baylor Medical Center facilities netted information from the physicians’ email accounts – including PHI of their patients!
PHI of Patients in Email Contact Records
The email accounts of some of the physicians who responded to the phishing attempts contained unencrypted PHI of patients, including such items as name, date of birth, diagnoses, and even medical record entries. A few entries even included patient social security numbers. It is still not clear why the physicians had accumulated such information in their email accounts, but obviously such information was very extensive.
As HIPAA Privacy violations, this one was both unusual and sadly similar. It was unusual in that a phishing technique attacking physician email accounts was employed, and some of the physicians were storing unencrypted PHI in their email contact files. It was sadly similar in that it included the disclosure of unencrypted PHI.
HIPAA Privacy Violations due to lack of termination of an employee’s access
Lack of some routine due diligence led to another HIPAA Privacy violation at another Baylor facility. A year before the phishing expedition at Baylor, an employee who had resigned, and who had been responsible for making patient reminder calls, continued to make these calls for almost two months after his resignation! The employee knew no one had been appointed to make the calls in his absence, and since he was still able to access the information system at the provider location, he simply continued to make the calls.
HIPAA Privacy Violations the old fashioned way – courtesy of a “bad actor”
It has been a lousy (that’s the opposite of banner, apparently) 12 months for Baylor because they also suffered a HIPAA Privacy violation due to an employee who was found to be taking and selling patient identifying information.
The Lessons of these HIPAA Privacy Violations
Most of us can recognize when an email seems to be about something we know is not true – at least for us. Emails about package deliveries, from banks about our accounts, with ads for certain pharmaceuticals claiming to improve our health and well-being are usually recognizable as possible phishing or at least for something we don’t want or need. But every so often, we fall for one that really, really looks authentic. For those situations, or just situations where someone really hacks our accounts without our help, we should remember to never keep unencrypted PHI in our email contact information.
And when it comes to employees with access to PHI, a solid process for removing that access as soon as an employee is out the door, is an absolute necessity. Checklists of actions to take when someone is hired and when they leave the organization are becoming a necessity in an environment where access to digital information systems is a routine part of peoples’ jobs. In larger organizations, it may be desirable to perform a periodic access audit. Just like the old payroll audits, where paychecks were distributed in person by an internal auditor to ensure everyone getting a paycheck was really still on the payroll, an access audit could catch staff members who have left the organization, but who still have access to information systems.
The stakes are very high these days – for Covered Entities, Business Associates and their sub-contractors. A rigorous process to ensure only the right people have access to the information they need, and there are no informal storage sites of PHI, is a must for healthcare organizations large and small.