Unsecure Email Incident a Reminder of Risks to PHIMississippi Medicaid Website Transmitted Unencrypted Email
A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides.
The Mississippi Division of Medicaid reported on May 26 to the U.S. Department of Health and Human Services the unauthorized access/disclosure incident that affected about 5,220 individuals, according to the HHS "wall of shame" website of breaches affecting 500 or more individuals.
In a statement, Mississippi DOM says that on April 7, DOM officials became aware of an issue with the online service the agency used to create forms posted to DOM's website.
"Once an online form was submitted, the information was also emailed to designated staff within the agency. The email containing the information was not transmitted in a secure manner (i.e. encrypted). This resulted in the possible exposure of information that may have been entered into certain online forms."
DOM says that based on its investigation, it can confirm those emails and the accompanying information included were stored in a secure manner once received.
The incident had no impact on individuals' eligibility determination nor on a beneficiary's benefits if they are currently enrolled and receiving Medicaid services, DOM says.
"Once the error was discovered, the online forms were immediately removed from the website and use of the online form service was terminated. The agency is also in the process of strengthening technological safeguards, in addition to revising policies and procedures addressing privacy and security regulations," DOM says.
The incident was limited to six forms, DOM reports, and may have involved names, birth dates, addresses, phone numbers, email addresses, admission and enrollment dates, health insurer, condition, Social Security numbers, and Medicare and/or Medicaid identification numbers.
"It is highly unlikely that the data was compromised, since the typical Internet user would not know how to capture it during transmission. The data storage was secured both at the originating source and the destination [DOM], reducing the risk of the data being compromised," said Keith Robinson, DOM's security officer.
Mississippi DOM says it has not received any evidence of unauthorized PHI use or access related to this incident."
Some security and privacy experts acknowledge that the likelihood of the DOM email being compromised during transmission is low.
Nevertheless, "using encryption helps ensure that messages sent to the wrong recipients cannot be viewed," says Keith Fricke, principle consultant at tw-Security. "It is more likely that criminals would try to compromise an email system and read unencrypted messages, having gained unauthorized access."
Many more covered entities and business associates are becoming better aware of email-related security risks, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Many of my clients have told me, following risk assessment or privacy impact assessments, that they didn't realize that clear text emails were generated through such things as website forms that they use on their sites to collect information from insureds or patients, or by using various types of smartphone apps, just to name a couple," she says.
"This issue usually gets overlooked because when organizations are addressing the issue of email security, they tend to focus only on their email servers and services."
Based on Mississippi DOM's description of the incident, "this seems to be more of a system or application issue than a person failing to encrypt," says Mac McMillan, president of the security consultancy CynergisTek. "The real issue here is doing a better job of due diligence on the solutions we acquire to make sure they have all the necessary or desired safeguards."
More organizations are licensing encryption for their email systems, Fricke notes. "In this case, an online service did not configure their online form system to send email securely once a form was submitted. That is a programmatic error," he says.
"The best situation is to set up email to automatically encrypt, based on trigger words appearing in the subject line or a lexicon detecting certain data in the message [such as] Social Security numbers, credit card information, medical record numbers, etc."
New Guidance Needed?
McMillan says the Mississippi incident "also underscores the need for the healthcare industry to publish general guidelines for developers of systems that specify security requirements, standards, protocols, interoperability specifications, etc. that could be used by both the consumer - the healthcare entity - and the vendor when developing and assessing systems intended to be used to handle healthcare information."
Then organizations like the Mississippi DOM "would have a guideline to use when producing requests for proposals, performing source selections and conducting proofs of concept or evaluations," he says.
Herold points to an array of potential security risks involving email containing PHI. Those risks include sending or receiving email on unsecured public networks; insiders "sniffing" their employers' networks to capture communications; spoofed phishing emails; fax transmittals of documents containing PHI that get automatically forwarded to email inboxes unencrypted; and lost and stolen computing devices that contain unencrypted email.
It's worth noting that under HIPAA, covered entities must provide patients - or a chosen third-party - with access to the patient's health information in the format the patient requests - even if that request instructs the healthcare entity to electronically transmit health records via unencrypted email.
But patients also need to be aware of the risks involved. "Your provider is no longer responsible for the security of your health information after it is sent to a third party," HHS warns in "patient engagement" material issued in 2016 to educate patients and healthcare providers about patients' rights to access their own "designated record" of PHI (see Patient Access to Records: Requirements and Risks).