Privacy Officer's Roundtable

Breach/No Breach Emails

  • 1.  Breach/No Breach Emails

    Posted 10-25-2019 09:13 AM
    We have had a recent probing attack on our emails systems. The person(s) responsible have been able to gain access over individual email accounts that belong to administrators, admissions, regional clinical consultants, HR, Therapy Directors, etc. The "hacker" has been able to take control of the email at a point in time and send email directly from that account. Those emails generally contain viruses in the form of attachments or links to click. Because they "look" like they are from a trusted source, the person clicks on the link or attachment and a virus spreads.
    IT is able to reclaim the e-mail by wiping the contents, resetting it and wiping the computer.

    Because of the email system we have, we do not have administrative controls to look at any "background" information. We cannot see when the email was accessed and how. Based on a tip from someone from this forum, we did ask some questions to the company (thanks Mark).  We are trying to work on that with the company that supplies the email. They may be able to retrospectively find that information (for a sizable cost). I'm not sure what we will actually get from them though.

    At this point IT reports they feel like they can say an unauthorized person was able to send email straight from the account.
    Here is my question. Is this a reportable breach?  Each of those accounts had anywhere from 100 to thousands of emails. Each account had various emails referring to patients. Some are clinical discussions between nursing for example. We have others that are sending new admission information by email. I can go through each email by hand and see that there is PHI contained within the email body and sometimes attachments. Typically it is not included in the subject.
    Emails are not encrypted.

    Do you feel like this is a breach? Would you total each email as an instance or would the email itself be a single instance?

    Any thoughts appreciated.

    Bethanne VanderMolen
    Chief Compliance Officer/Director of Risk Management
    Choice Health Management Services, LLC
    2020 SCCE Membership