An employee at Rady Children’s Hospital in San Diego inadvertently emailed a spreadsheet containing the protected health information of more than 14,000 patients to a handful of job applicants on June 6th, 2014. The investigation of this breach uncovered a second incident that took place in 2012 which exposed the protected health information of another 6,300 patients. These recent breaches were both the results of human error highlight the benefit of a number of controls including employee training, data loss prevention technologies, email encryption and other safeguards.
According to the hospital’s press release, the employee who made the error on June 6th was intending to send a “training file to evaluate the applicants,” but instead attached elements of actual patient information by mistake. It wasn’t immediately clear what types of employee was being evaluated – we speculate it may have been personnel in the hospital business office.
The spreadsheet contained the names, birth dates, primary diagnoses, admittance and discharge dates, medical record numbers and other information like insurance claim information. It did not include Social Security numbers, addresses or parent information for the young patients. The four recipients of the email (and 2 others who were forwarded the email by one of the applicants) were immediately contacted when the breach was discovered on June 10th. Each recipient has confirmed in writing that they have deleted the email and the attachment from their computer and any other external devices, like an iPad or mobile phone. The hospital has also hired an independent technology firm to confirm the files were deleted.
The earlier breach that was subsequently discovered was also an instance of when actual patient information was used during the testing of job applicants. This time a breach took place on-site when six job applicants took a test on site which exposed them to limited patient information and through email when another three job candidates were emailed the same information. These breaches, which occurred in August, November and December of 2012, affected over 6,300 patients who sought outpatient treatment from the hospital between 2009 and 2010. Letters are being mailed to all affected individuals’ families.
As part of its corrective action plan, Rady will implement “commercially available and validated testing programs” to evaluate job applicants instead of the home-grown approach that they were apparently using. This will eliminate the use of actual patient data when evaluating applicants. Other corrective action to be taken by the hospital includes automated flagging of emails that may contain potential protected health information (presumably some sort of data loss prevention). Additionally, a second level of approval will now be required before these emails can be sent. Finally, they will work with their encryption provider to strengthen their encryption practices.
Multiple HIPAA violations occurred in these incidents including lack of appropriate physical, technical and administrative safeguards; violation of the minimum necessary principle and the transmission of unencrypted PHI via email.
Takeaways from this incident are the following recommendations for health providers:
- Ongoing investments in employee training are necessary to reinforce priorities regarding patient confidentiality.
- The Minimum Necessary requirement of the HIPAA Privacy rule requires a top to bottom review of all routine disclosures of PHI and creation of procedures for these disclosures. In this incident, during this review, a determination would be made that actual patient data was not required or appropriate for employee evaluations.
- In a large organization, one can anticipate that some percentage of employee mistakes will occur that put PHI at risk. Recognizing this reality, two appropriate controls include:
- Data loss prevention solutions reduce intentional or unintentional leaking of information via email, USB flash drive, or other route of egress.
- Email encryption systems can be tuned with filters to recognize PHI and encrypt such emails automatically.
