On September 6, 2024, a senior primary care facility, Welcome Health, reported that an unauthorized individual accessed an employee's email, compromising their patients' and contractors' protected health information (PHI).
On July 8, 2024, Welcome Health detected suspicious activity within its email environment, tracing the unauthorized access to an employee’s email account. Following a third-party investigation, they determined that the unauthorized individual accessed patients’ sensitive information from June 11 to July 8, 2024.
The investigation concluded on August 12, 2024, and Welcome Health sent breach notification letters detailing which personal information had been exposed.
Welcome Health’s public notice states that they have “no evidence that any data was used for identity theft or fraud, our investigation determined that the following information was present in the files and emails potentially accessed by the unauthorized party and may have been impacted.”
The notice elaborates that compromised information can include patients’ “first name, last name, date of birth, patient number, health plan member number, claim number, dates of service, diagnosis, and treatment.”
Furthermore, contractors’ “first name, last name, social security number (SSN) or tax identification number (TIN),” were also potentially exposed during the breach.
Covered entities (including healthcare providers, health plans, and healthcare clearinghouses) must use a HIPAA compliant email solution, like Paubox, to prevent cybersecurity breaches. HIPAA compliant emails offer encryption and security features to protect sensitive patient data during transmission and at rest.
Additionally, these solutions offer access controls so provider organizations can limit access to PHI based on employee responsibilities. Role-based access controls further reduce the possibility of data breaches. Organizations can monitor these controls regularly, modifying access as employees change roles.
As a HIPAA-covered entity, Welcome Health must safeguard PHI. When an employee’s email credentials are compromised, it puts patient PHI at risk and exposes the organization to possible HIPAA violation fines, legal action, and reputation harm.
Affected individuals who receive a breach notification from Welcome Health should monitor their accounts and promptly report suspicious activity.
Read also: Enhancing elderly healthcare with HIPAA compliant emails
A breach occurs when an unauthorized party gains access, uses, or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information, like email login credentials, with unauthorized individuals.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000 with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.