Preventing Breaches Involving Personal EmailIncident at Colorado Medical Practice is Latest Reminder of Need for Precautions
A recently reported health data breach in Colorado offers a reminder that organizations must take precautions to prevent and detect data leakage involving current and former employees inappropriately using personal email.
In a notification statement, Lasair Aesthetic Health says that on May 12, the cosmetic procedures practice discovered that one of its former managers, after resigning, "took patient identifying information by forwarding certain documents, including patient lists, to her personal email account."
The incident, which involved information on 1,835 individuals, was reported July 11 to the Department of Health and Human Services, according to HHS' "wall of shame" tally of health data breaches affecting 500 or more individuals.
"Lasair has learned through its investigation that on May 11, the former employee secretly used her work email account through her mobile phone to forward to her personal email address certain documents and lists containing patient PHI," Lasair says in its notification statement.
Patient information contained in the breached records included full names and the amount patients spent or credits they had with Lasair during 2015, Lasair says. "For a couple of patients, the type of information also included treatment results, including photographic images without faces showing," according to the notification.
Lasair says it has "demanded that the former employee not use and destroy the documents and patient information she took." The former employee informed Lasair that the information was deleted, the notification says. "We are seeking an injunction to ensure there will be no use or disclosure of the information. Additionally, Lasair reported this incident to law enforcement for further investigation."
Some privacy and security experts say the Lasair breach is just the latest example of a common issue for many organizations.
"A large portion of employees plan to take what they view will be helpful PHI and/or intellectual property from their current employer when they have made the decision to leave," says Rebecca Herold, CEO of The Privacy Professor and co-founder of the consulting firm SIMBUS Security and Privacy Services. "Former employees should never be allowed to continue accessing the network using their accounts once they have left the organization."
Occasionally, breaches involving workers emailing PHI to their personal email accounts have ended up in criminal court. For instance, among the largest email-related breaches involving malicious, unauthorized access or disclosure listed on the "wall of shame" is a 2012 incident at the South Carolina Department of Health and Human Services, which affected nearly 228,500 enrollees of the state's Medicaid program.
After that breach, a former state employee in November 2014 was sentenced to three years of probation after pleading guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy. The former worker allegedly transferred personal information about Medicaid recipients to his personal email account.
Organizations can take several steps to help address the issue of email-related breaches, says Keith Fricke, principal consultant at consulting firm tw-Security. That includes blocking all outbound access to external personal email from the hospital's network and requiring staff to access their personal email on their personally owned phones by connecting to the hospital's guest wireless network, he says.
Also, if a hospital has a "bring your own device" policy, mobile device management software can be configured to help prevent co-mingling of hospital email and personal email, he notes. "After-hours work should be done via secure remote access into the hospital's network and not by sending copies of data to their personal email, assuming they don't have remote access to their email when not at work," Fricke adds.
The best course of action is to block access to personal email, requiring workers to access it from personally owned devices that are not capable of receiving hospital email, Fricke adds.
"If circumstances require permitting access to personal email, the hospital should be using SSL inspection and/or data leakage prevention technologies to examine web-based personal email for evidence of PHI," he adds.
When it comes to protecting data from breaches involving former employees, as in the Lasair case, Herold suggests organizations take a number of additional actions.
For starters, entities should implement administrative controls, including having workers sign non-disclosure agreements and confidentiality agreements in which they agree to not take any information from the organization in the event they leave, she notes.
Technology controls include "using DLP tools, doing logging of network and database activities and accesses, and immediately removing access from the company/organization network, especially remote access as soon as you know an employee plans to leave the organization," she says.
"For physical controls, I've seen it be effective to actually assign someone from the information security area, or the physical security/safety area, to physically accompany high risk employees - those who have access to a large amount of PHI and/or IP - from the point in time they put in their resignation until they actually leave, so that someone sees everything they are doing."
Lasair's Mitigation Plan
In the wake of the email incident at Lasair, the organization says it's considering ways to upgrade its information systems to determine reasonable ways to further restrict the ability to access, copy, or move files from Lasair's network. "We are investigating further development of tools we may use to monitor our network for suspicious activity," Lasair says in the statement.
"We are conducting further analysis of our privacy and security safeguards to identify any additional ways we may strengthen the protection of our patients' information. Additionally, Lasair is updating its privacy policies and procedures and will require all staff to review and be instructed on the updated policies and procedures."
Lasair did not immediately respond to an Information Security Media Group request for further comment.