A US health plan provider recently revealed a data breach of 11,500 patients that was started by an email error.
It happens…..we realise a split second after sending an email that we left someone cc’d that we should not have, or that we forgot to attach the most recent .PDF of some report. While these are relatively minor failings, it can happen on a larger scale, with much more serious consequences.
An employee at Iowa Total Care, Inc., a managed care organisation based in Des Moines, US knows that feeling well now. The organisation, a health plan that is a subsidiary of Centene, a large, publicly traded managed care organisation based in Missouri, recently confirmed that an email error accidentally resulted in the information of 11,581 patients being sent to the wrong recipient.
It was reported that the employee mistakenly sent an Excel spreadsheet containing claims data to a large provider organisation.
While normally not a problem, this file contained protected health information (PHI) belonging to patients who had not received medical care there.
The Excel sheet contained information like names, Medicaid ID numbers, dates of birth, & procedure & diagnosis codes. The information of 11,581 patients.
The recipient reportedly never shared or copied the spreadsheet & instead deleted it. To address the security lapse, the healthcare facility claims it has re-educated the employee & implemented additional safeguards to stot an incident like this from recurring.
As the provider is a HIPAA covered entity, it was required to inform the US Department of Health and Human Services’ Office for Civil Rights; the breach appears on OCR’s Breach Portal with a submission date of June 23.
HIPAA’s Privacy Rule requires covered entities to implement safeguards to protect sensitive patient data like PHI. At 1st glance it is unclear exactly what safeguards Iowa Total Care had in place.
Healthcare record breaches are not uncommon these days – they can easily pile up, leading to a compliance nightmare – but having a solution in place that can see, classify, & protect data like Medicaid numbers could have prevented PHI egress in the first place & diminished the chance of the data getting sent off via email.