I don’t do “told you so” moments.
I do learn from incidents.
Now, let’s learn:
Indianapolis, Indiana: St. Vincent Hospital, Nov. 12, 2010 approximately 1,800 patient’s PHI was revealed to third parties.
Read the disclosure announcement here.
The hospital apparently has a secure email system.
On November 12, 2010 some “hospital employees unintentionally revealed their email login information to third parties.”
From here, the “third parties” were able to access PHI on approximately 1,800 hospital patients.
A few things:
- PHI and Email
First Phishing: there is a good chance the “third parties” were not anyone the hospital does business with. What probably happened was these hospital employees probably received an email faked to look official that asked for their login information.
This is call Phishing. It is also called Human Engineering. Either way, medical employees need to be trained on this subject matter.
A few examples of phishing emails would be:
- The fake “you’ve won the lottery” emails where you have to submit all sorts of personal info to get to “your” money
- The Nigerian millionaire fake emails, “help the Nigerian millionaire get his money out of the country and you’ll get $30,000.”
- Fake bank account emails where the email is official looking and asks for you to click here to log into your account and fix a problem
Next is the subject of PHI and email.
We always tell practices to never send PHI via email…even secure email.
The Indy hospital is one good reason why.
Another reason is, it just opens a practice up to more risk, more screw ups.
There are a few HIPAA compliant methods of transmitting PHI…email is not one of them.
Do yourself and your staff a favor. Have a crystal clear computer policy that S-P-E-L-L-S out exactly what can and can’t be done at your office. This will reduce screw ups and make your practice HIPAA compliant