The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Email Error Leads to Exposed PHI of 11,500 Patients

by Chris Brook on Monday June 29, 2020

Contact Us
Free Demo
Chat

A health plan recently disclosed a data breach of 11,500 patients that was triggered by an email mistake.

It happens to the best of us.

We realize a split second after sending an email that we left someone cc’d that we shouldn’t have or that we forgot to attach the most recent .PDF of a report. While these are relatively minor faux pas, it can happen on a grander scale, with more serious consequences. 

An employee at Iowa Total Care, Inc., a managed care organization based in Des Moines, assuredly knows that feeling well now. The organization, a health plan that's a subsidiary of Centene, a large, publicly traded managed care organization based in Missouri, recently acknowledged an email error that accidentally resulted in the information of 11,581 patients being sent to the wrong person.

According to reports, the employee mistakenly sent an Excel spreadsheet containing claims data to a large provider organization. While ordinarily this might not be a problem, this file contained protected health information (PHI) belonging to patients who had not received medical care there. The Excel sheet contained information like names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes. The information of 11,581 patients

The recipient reportedly never shared or copied the spreadsheet and instead deleted it. To address the security lapse, the healthcare facility claims it has re-educated the employee and implemented additional safeguards to prevent an incident like this from happening again.

As the provider is a HIPAA covered entity, it was required to inform the U.S. Department of Health and Human Services' Office for Civil Rights; the breach appears on OCR's Breach Portal with a submission date of June 23.

HIPAA's Privacy Rule requires covered entities to implement safeguards to protect sensitive patient data like PHI but at first glance it's unclear exactly what mechanisms Iowa Total Care had in place. Healthcare record breaches are a dime a dozen these days - they can easily pile up, leading to a compliance nightmare - but having a solution in place that can see, classify, and protect data like Medicaid numbers could have prevented PHI egress in the first place and diminished the chance of the data getting shuffled off via email.

Tags: Industry Insights

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.