The University of Arkansas for Medical Sciences (UAMS) and Sacramento County have both recently reported email-related breaches of protected health information (PHI).
On November 29 last year UAMS became aware that a member of staff had forwarded emails from her UAMS email account to a personal Gmail account that included files holding patients’ PHI. The emails in question were forwarded on November 15, 2021, at which point in time the staff member was still working with the UAMS organization. It was discovered that the emails included invoices issued to UAMS seeking payment(s) and Excel spreadsheets employed by UAMS for internal billing compliance and auditing purposes. UAMS has now begun broadcasting (UAMS) notification letters to the many patients that may have been impacted to warn them in relation to the HIPAA breach that could have included a portion of their PHI.
It was discovered, during the official investigation into the breach, that 518 people were impacted. While the emails were found to include names, hospital account information, medical records, appointment details, insurance data, and claim information for billing reasons there were no clinical files, medical history, financial record, or Social Security credentials discovered. Additionally the attachments linked to a few people did have the dates of birth and medication history included.
The employee involved, according to UAMS, was questioned in relation to the breach. She said that the emails had been forwarded to her personal account by mistake and, due to the indiscretion, left her role at UAMS voluntarily.
Meanwhile, Sacramento County has revealed that its databases were infiltrated during June 2021 when a phishing attack resulted in access being granted to unauthorized individuals. These cybercriminals were able to access employee email accounts that held private information linked to members of staff.
The official HIPAA breach notice submitted to OCR confirmed that Sacramento County staff members were targeted in an email phishing attack on June 22, 2021. After receiving the phishing email five employees replied and shared their email account information. It remains unknown exactly when the security breach was first discovered. However, an audit of email mailboxes was able to establish, on November 17 last year, that the compromised email accounts included around 2,096 records that held the PHI of staff members, and another 816 records that included personal information.
Breach notification alerts were sent, by mail, to those who were impacted on January 21, 2022, with the offer of free credit monitoring, credit resolution, and identity restoration solutions for a period of one year.
In the aftermath of the breach Sacramento County has initiated a program to enhance the password requirements for internal email accounts and configure two-factor authentication. Additionally, the group’s security management plan has also been refreshed and more security awareness training sessions have been conducted to assist staff members in recognising phishing emails.