On September 16, 2015, the University of Cincinnati Health System (UC Health) discovered the Protected Health Information of 1,064 patients had been exposed. The UC health data breach report attributes the PHI breach to a typo made by an employee.
Simple Typing Error Caused UC Health Data Breach
The UC Health data breach occurred as a result of an employee mistyping an email address. Rather than the email being sent to the correct recipient, the transposing of two letters in the domain name resulted in PHI being sent to a different email recipient.
The single error was not noticed until recently, although the mistake was made back in August, 2014. The same incorrect email address was subsequently used on eight further occasions, and each time more PHI was sent to an incorrect recipient outside of the UC Health system. The message should have been sent internally.
Patients have now been notified of the UC Health data breach. They have been told their names, medical record numbers, dates of service, dates of birth, physicians’ name, and some diagnosis information have all been exposed and potentially viewed by an unauthorized individual. Other data elements may also have been exposed according to the UC Health data breach notice posted on the health system website.
UC Health has also informed the breach victims that their data does not appear to have been misused in any way. That said, they have been advised to check their credit accounts and should consider placing a fraud alert on their credit file to alert them to any potential misuse of their data.
The health system has taken action to prevent any further breaches of patient data by blocking the incorrect domain. A forensic analysis is also being conducted by an external cybersecurity firm.
UC Health Data Breach Highlights the Ease at Which PHI can be Exposed
The UC Health data breach was unfortunate. A typo could easily have resulted in an unregistered domain being entered. If that had been the case, a message would have been generating alerting the employee that the message could not be delivered. The mistake would then have been corrected, and the email sent to the correct recipient.
Such a simple error can all too easily result in the exposure of patient PHI; however, HIPAA-covered entities can take actions to reduce the likelihood of an email error exposing PHI. Controls can be implemented to prevent files containing PHI from being sent outside of the internal email network, training can be provided to staff members required to come into contact with PHI instructing them to take extra care when sending PHI, and regular email system audits can be conducted to discover potential privacy breaches. It may not always be possible to prevent data breaches from occurring, but it is possible to ensure they are discovered promptly if they do occur.