Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
Prestera Health, the largest behavioral health services provider in West Virginia, serving the counties of Boone, Cabell, Clay, Kanawha, Lincoln, Logan, Mason, Putnam and Wayne in West Virginia experienced a data breach through their email system.
The statement from their website reads: “December 31, 2020 – We have become aware of a data security incident that may have resulted in unauthorized access to the private information of a small percentage of our patients.” This small percentage of their patients is estimated at 3700 individuals. The information that was exposed “included patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers.”
One of the important aspects of this breach is the nature of the facility that was breached. In this case, anybody who obtains access to this data will know that the patients on the list were treated for a behavioral health problem or a substance abuse problem. Think of the potential reputational damage that could be experienced by these individuals.
As a result of this breach Prestera Health must now complete their Breach Notification process. This includes sending every patient involved a letter detailing the incident, the steps that Prestera is taking to help mitigate the damage caused by the incident as well as information on the steps the patients can take to protect their own personal information. In addition, Prestera is required by the HIPAA regulations to publicly post the details of the event (which can be found at the Prestera website) so that individuals who do not receive the mail will be aware of the event. Prestera has also set up complimentary identity theft restoration and credit monitoring services.
The breach was related to the Prestera email services. This points to a number of issues that need to be considered by your practice:
How secure is your email system?
What information is currently being stored in your history of sent and received emails?
Medical practices often get requests from patients to send out information via email. When a patient provides with written permission to send their information via email, then the medical practice is allowed to send protected health information via unencrypted email. When you receive a request of this nature, you should always have a signed consent that the patient understands that email is not secure and that they give you permission to send their PHI via email. But what should you do after that email is sent? The best steps to take are:
- Document what information was sent to the patient, and on what date and what email it was sent to.
- Make sure your documentation includes the release form signed by the patient.
- Once the email has been sent DELETE it from your system. If it is deleted, then it should not be available to an unauthorized individual.
What about when you receive an email from a patient with protected health information? Patients can send their health information via unencrypted without fear of penalty. This is because patients are not required to follow the HIPAA Security Rule. Once you receive the email, it is important that you transfer the information to their medical record and then delete the email. Once again minimizing the chance that an unauthorized person will access the email system and view health information.
Now is a good time to review the emails that are in your inbox and those that are in your sent folder. Make sure that all vital patient information is recorded in the patients charts and that you then delete the emails with patient information.
The next step to take is to communicate with your email provider and find out if they keep backups of the email system? How often are the backup files purged? How long to they keep emails that have been ‘deleted’ on their servers? If you run your own email servers, you want to ask these questions of your IT department.
Please make sure that prior to deleting this data that it is saved securely in their medical record, as the information may be important in future care decisions or it may be necessary in the case of an audit or a malpractice action. You need to assume that patients will keep a copy of any emails they send you and it is important that you have copies of these correspondences also.
It is important that we are aware of what has gone wrong for other organizations and to take steps to minimize the possibility of similar events happening at our practices. Prestera is about to begin a very painful journey of remediating this breach, enduring an investigation from the Office for Civil Rights and implementing an action plan to ensure this does not happen again. They will also end up on the HIPAA wall of shame for this event. You are encouraged to take any and all appropriate steps to help ensure that a breach of this nature does not happen at your organization.
TLD Systems is available to help you develop policies and procedures to improve your HIPAA Security and we are happy to work with your Technology Vendors to identify methods of better securing your data systems. For more information, visit TLD Systems or call (631) 403-6687.