The personal and protected health information of approximately 25,000 patients has potentially been impacted in two separate data breaches according to the Lake County Health Department in Illinois .
The initial breach took place during 2019 when a Lake County Health member of staff sent an unencrypted email from their corporate email address to an internal employee’s personal email account. The email in question included a spreadsheet that listed medical record requests dating from December 2016 to June 2019. The requests had been submitted via a third-party company which managed the release of information requests for the Lake County Health Department. Included in the spreadsheet were the names of 24,241 patients, together with dates of relevance to the vendor.
The breach was spotted by Lake County Health on July 22, 2019. There was then a delay until July 2021 before notification letters were mailed to impacted individuals. Lake County Health officials stated that they were not aware that notification letters were required in relation to the breach, as no personal health information had been compromised, and this was the reason given for the delay. The Department of Health and Human Services’ Office for Civil Rights said the letters were necessary under HIPAA, as personal health information may have been impacted.
A subsequent data breach was spotted on May 14, 2021 which involved a Google spreadsheet that contained names, birth dates, emails, contact details, and the COVID-19 vaccination status of 705 people. The spreadsheet was stored in the personal Google Drive account of a staff member. Even though Google Drive can be a HIPAA compliant solution for use in healthcare, personal accounts are not compliant with the legislation. Google can access data held in personal Google accounts and uses that information to to provide tailored services and for marketing purposes. All impacted people were seniors who were looking for information on COVID-19 vaccinations. Those individuals have now been made aware of the breach.
These data breaches led to patient data being accessible, but Lake County Health said internal risk assessments were completed and there was no indication that any of the exposed information had been acquired by unauthorized individuals or improperly used.
The Lake County Health Department has since configured processes to stop similar breaches going forward.