There are thousands of HIPAA violation email examples in the public domain, and likely many more thousands not made public due to the reporting requirements of HHS’ Office for Civil Rights and State Attorneys General. However, few examples of HIPAA email violations explain what the consequences of the violations were to organizations and individuals.
One of the challenges of finding HIPAA violation email examples is that the HHS Breach Report only publishes details of HIPAA data breaches affecting 500 or more individuals. As a result, only around 600 data breach reports are published each year despite HHS’ Office for Civil Rights being notified of more than 60,000 data breaches per year.
To exacerbate the challenge of finding HIPAA violation email examples, reports of data breaches can be miscategorized. For example, in November 2023, Medical University of South Carolina (MUSC) notified a data breach attributable to emails being sent to the wrong recipients. The data breach is miscategorized as an “Unauthorized Access” to a “Network Server”.
It can also be the case that a data breach results from an employee interacting with phishing email; but, because data accessed in the breach was in another location, the breach notification reports the data breach as a “Hacking/IT Incident” on a “Network Server”. An example of this is the September 2022 breach notification filed by Magellan Rx Management.
Other Sources of HIPAA Violation Email Examples
The HHS Breach Report is not the only source of HIPAA violation email examples. Eighteen State Attorneys General make data breach reports publicly available. Some States have limits on how many individuals must be affected before a breach is notifiable. All states include data breach notifications from all sources, so it can be difficult to isolate those which are HIPAA breaches.
There are also several websites that accumulate data breach reports from widespread sources (i.e., databreaches.net). While these websites are good at accumulating data breach reports, the reports sometimes lack the granularity necessary to identify if a data breach is attributable to a HIPAA email violation because of the sources from which they originate.
In addition to these sources of HIPAA violation email examples, a further option is to search the Internet for examples of HIPAA email violations. While some results might only list activities that violate HIPAA email rules rather than actual examples, (i.e., failing to enter into a Business Associate Agreement with an email service provider), other can provide actual examples.
5 Examples of HIPAA Email Violations with Consequences
Although there are thousands of HIPAA email violation examples, it is not always possible to identify what the consequences of the violations were. In the following examples, there is a public record of the consequences. It should be noted there are more cases in which there were financial consequences for HIPAA email violations, but the settlements were undisclosed.
Interaction with Spam Email Leads to $750,000 Fine
In November 2013, an employee of University of Washington Medicine (UWM) downloaded an attachment to a spam email that deployed malware across UWM’s IT network. The malware provided a backdoor for hackers to steal PHI relating to approximately 15,000 patients and compromise a further 76,000 records maintained in protected designated record sets.
Following an investigation into the incident, HHS’ Office for Civil Right identified multiple potential Security Rule violations – including the failure to implement “procedures for guarding against, detecting, and reporting malicious software” (§164.308(a)(5)). in December 2015, UWM settled the alleged HIPAA email violations for $750,000 and agreed to a corrective action plan.
Receptionist Sentenced to 2-6 for Email Theft
In February 2015, Annie Vuong – a former receptionist at a Manhattan Dental Surgery – was indicted on 189 charges of accessing patient data and emailing it to Devin Bazile – a former Apple store employee. The pair, with two accomplices, used the stolen data to acquire more than $700,000 in credit, which was used to purchase Apple gift vouchers and Apple products.
In April 2018, Vuong was found guilty of the charges and sentenced to 2-6 years for grand larceny and identity theft. Bazile – the ringleader of the group – was sentenced to 3-9 years. No enforcement action was taken against the Dental Surgery as Vuong had acted out of scope of her employment as a receptionist when violating HIPAA and §1177 of the Social Security Act.
Multi-Million Settlement of Email Violation Class Action
In May 2019, several employees of Presbyterian Healthcare Services interacted with phishing emails – giving hackers access to the PHI of 1,120,629 patients and health plan members. HHS’ Office of Civil Rights declined to take enforcement action after receiving assurances workforce members had been retrained on email security and on how to identify phishing emails.
Nonetheless, patients and health plan members impacted by the HIPAA email violation took legal advice and – using HIPAA as the standard of care – filed a class action lawsuit. In June 2024, Presbyterian Healthcare Services settled the class action without an admission of liability for up to $3,500 per class representative and up to $750 per class member.
First HHS Settlement for a Phishing Email Data Breach
In March 2021, a member of the workforce at Lafourche Medical Group interacted with a phishing email pertaining to be from one of the Medical Group’s owners. The interaction enabled a hacker to obtain the login credentials for the organization’s Microsoft 365 environment, which were used to access the PHI of up to 34,862 patients.
The subsequent investigation into the data breach found that Lafourche had failed to conduct a security risk analysis and had failed to implement procedures to review information system activities – both requirements of §164.308(a)(1). The Medical Group agreed to settle the alleged violations for $480,000, adopt a corrective action plan, and provide additional HIPAA training.
Failure to Manage Email Privileges Costs EyeMed
In May 2023, EyeMed Vision Care settled a data breach investigation with State Attorneys General from Oregon, New Jersey, Florida, and Pennsylvania for $2.5 million. The investigation related to a 2020 data breach in which an unauthorized individual obtained the login credentials to an employee’s account and used the account to send more than 2,000 phishing emails.
The investigation into the data breach found that the hacked email account also contained 6 years of PHI for 2.1 million patients, and that the impact of the breach was exacerbated by employees being given higher than necessary email privileges. In a separate action, EyeMed also settled a NY Department of Financial Services investigation for $4.5 million.
Conclusion: It Pays to Comply with the HIPAA Email Rules
What the HIPAA violation email examples demonstrate is that, even though HHS’ Office for Civil Rights does not pursue enforcement action for every data breach, there can be consequences from other sources. Compliance with the HIPAA email rules is often used as the expected “standard of care” in private civil actions and enforcement actions filed by State Attorneys General.
Organizations that can demonstrate compliance with the HIPAA email rules will have a solid defense against data breach claims when the cause of the data breach is email related. Part of demonstrating compliance is to ensure members of the workforce receive adequate HIPAA training before disclosing PHI via email, and to enforce sanctions policies when the HIPAA Rules are violated.
