The University of Arkansas for Medical Sciences and Sacramento County recently reported email-related breaches of protected health information (PHI).
HIPAA Violation by an Employee of the University of Arkansas for Medical Sciences (UAMS)
The University of Arkansas for Medical Sciences (UAMS) has begun sending breach notification letters to patients to notify them about a HIPAA violation affecting their PHI.
On November 29, 2021, UAMS learned that an employee used her UAMS email account to send email messages to a personal Gmail account containing file attachments of patients’ PHI. UAMS stated the employee sent email messages on November 15, 2021 while she was still working at UAMS. The email messages contained billing statements that were sent to UAMS for repayment and Excel spreadsheets utilized by UAMS for the purpose of internal billing compliance and audit.
The attachments did not include clinical documents, health records, Social Security numbers, or financial data. However, they contained PHI for example names, medical record numbers, hospital account numbers, dates of service, type of insurance, and claim data for billing requirements. The attachments additionally included birth dates and medication details of some persons. Altogether, 518 persons were impacted.
UAMS mentioned the employee involved was questioned concerning the HIPAA breach and stated the emails were sent to her personal email account by mistake and quit UAMS of her own will.
Sacramento County Phishing Attack Compromised the Health Information of Many Employees
Sacramento County has reported a phishing attack that happened in June 2021 whereby unauthorized persons acquired access to worker email accounts that included the personal data and PHI of workers.
Based on the report, Sacramento County workers received phishing emails on June 22, 2022. Five workers responded to the phishing email and exposed their credentials. It is uncertain when the security breach was discovered, however, the officials mentioned a review of the email accounts confirmed on November 17, 2021, that the compromised email accounts included 2,096 records with the PHI of workers and an additional 816 records that included personal data.
Sacramento County sent notification letters to the affected persons on January 21, 2022, and provided complimentary credit monitoring, credit resolution, and identity restoration services for one year. Because of the email security incident, Sacramento County toughened the password standards for employee email accounts and employed 2-factor authentication. The security management plan was likewise updated and additional security awareness training was given to the employees.