Sutter Health Incident Illustrates Email RisksUnsecure Communication Remains an Industrywide Problem
Sutter Health's revelation that a former employee inappropriately sent patient information to a personal email account in violation of the organization's policy is yet another reminder of the privacy risks posed by email communication.
In a Sept. 11 statement, the California healthcare delivery system says the billing documents for 2,582 patients that were inappropriately emailed included names, dates of birth, insurance identification numbers, dates of services and billing codes. For one patient, compromised information also included a driver's license number. For another, the a driver's license number and Social Security number were included.
Sutter Health includes 24 hospitals, 27 ambulatory care facilities and a network of more than 5,000 physicians in Northern California. Previously, the organization reported three other breaches, including a 2011 breach involving the theft of an unencrypted desktop computer containing information on 4.1 million patients (see Another Sutter Health Breach).
The organization says it discovered the email-related incident during a review of the former employee's email activity and computer access. Sutter launched an investigation on Aug. 27 after the organization learned of possible "improper conduct" by the former employee, who worked at Sutter Physician Services, which handles billing for Sutter Health's physician medical foundations.
Most of the patients whose data was involved in the April 26, 2013, incident reside in the greater Sacramento region and are patients of Sacramento-based Sutter Medical Foundation, Sutter Health says. The California healthcare provider says it has no evidence that any of the patient information was misused or disclosed to others. But it's offering affected patients are being offered free credit monitoring services for one year.
"Sending any confidential information to a personal email account is strictly prohibited," Sutter Health says in a statement provided to Information Security Media Group. "Sutter Health now has sophisticated software that helps block confidential information from leaving the organization unless appropriate safeguards are in place to securely send the information. Employees are also required to annually acknowledge and sign Sutter Health's confidentiality agreement, which states that the employees agree to abide by and protect Sutter Health's confidential data."
A Sutter Health spokeswoman tells ISMG that the former employee emailed copies of the information without authorization before more technology safeguards were installed - and that Sutter Health now uses encrypted email.
"Sutter works hard at protecting patient information, including implementing new technologies to enhance protection. I cannot provide specific details of those technologies - that's among our safety efforts," she says.
Unfortunately, privacy breaches involving unsecured email - as well as text messages - are a common problem in the healthcare arena, security experts say.
"My experience is that doctors and medical practice employees send PHI through unsecure e-mail all the time," says security and privacy expert Mike Semel, founder of Semel Consulting.
"During our assessments, we often hear that doctors and nurses text each other all day with no concern that the information is PHI," he says. "When we explain that PHI is any communication that includes a patient identifier and information about their treatment, diagnosis or payment for healthcare, and not just the information in the chart, we are often met with surprise."
Besides implementing encrypted email communication, such as by using the "Direct Exchange" protocol, healthcare entities can take other steps to safeguard patient information. For example, they can use data loss prevention programs that scan emails and documents containing sensitive data, such as Social Security numbers, before they're transmitted, security experts say. Depending on the technology, the sensitive data can either be blocked from transmission or automatically encrypted (see Preventing Email Breaches).
Organizations also need to be wary of employees who work around measures that have been put in place to prevent breaches involving email, Semel stresses.
"When doctors have privileges in multiple hospitals, it is easy to use free webmail for communications wherever they are," he says. "Even if you have a secure e-mail server in your practice that allows for secure messaging within your organization, sending a message to someone else, like a specialist, [using webmail] is not secure."
Employees and clinicians need to be educated on the secure methods for sending communication involving PHI, Semel says.
Independent HIPAA attorney Susan Miller says many breaches involving unsecured communication likely aren't being reported to the Department of Health and Human Services' Office for Civil Rights, which tracks healthcare data breaches.
"I think they are as under-reported as sending a fax the wrong way," she says. Tips on the do's and don'ts related to email encryption are "not part of any training that most staff get," she says. "I have been talking to my clients about just use WinZip for some protection," she notes, referring to the zip utility web application, which encrypts email.
More Guidance Needed?
At a recent annual HIPAA security conference hosted by OCR and the National Institute of Standards and Technology, OCR officials acknowledged that incidents involving unsecure email are likely underreported to the agency.
"We are seeing a lot of different problems with the transmission of electronic PHI," OCR director Jocelyn Samuels said during a question-and-answer session with attendees. "We are aware there are problems with email and text. We would like feedback on guidance we might provide" to help understanding of protecting electronic communication involving PHI, she said.
While communication between healthcare providers that involves the sharing of PHI should be secured using encryption or other safeguards, patients can request that their doctors electronically send them their records without using encryption or other secure methods, as long the individuals are made aware of the risks, OCR officials noted during the conference.
"Provider-to-provider communication should be secure," says Deven McGraw, OCR deputy director of health information privacy. "However, patients may request unencrypted communication."