How do others handle emails containing PHI that may accidentally get sent out unencrypted? I would consider this a breach, based on a risk assessment, even if there is no evidence it ended up in the wrong hands. I would also consider 1 breach affecting 5 patients to be 5 breaches for reporting purposes?
Assuming the email was sent from your organization's system (i.e., your organization has visibility of it), I recommend checking with your IT folks to determine if the email was transmitted via TLS (Transport Layer Security), which would suggest it was encrypted in transit. Most organizations these days can (and do) configure their email systems to at least attempt TLS as the default, even if the end user doesn't 'force' a secure transmission. If both systems are, in fact, configured this way, your IT folks should see that the email was encrypted during transmission. If you learn your organization's systems are not configured this way, see (with the involvement of your IT Security folks) if your IT folks can make the adjustment to prevent future headaches.
I don't think it's necessarily a breach. It becomes a breach if the email containing PHI was sent to the wrong person or, after investigation, you conclude that the email was intercepted. I do consider it a security incident though.
Chris Apgar, CISSP, C|CISO
CEO & President
(503) 384-2538 (o)
(503) 816-8555 (c)
(503) 384-2539 (f)
Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response
The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.
First time users - will need to register after opening the attachment. For more information, click the following Help link. Help - https://res.cisco.com/websafe/help?topic=RegEnvelope About Cisco Registered Email Service - https://res.cisco.com/websafe/about