A healthcare plan in Texas alerted patients several weeks ago that their electronic protected health information (ePHI) may have fallen into the wrong hands.

The issue, which the organization chalked up to an error, affected information on anyone who had coverage via the company from June 2014 to August 2018, over 8,000 individuals.

FirstCare Health Plans, an organization based in Austin and co-owned by two hospitals, the Abilene-based Hendrick Health System and Lubbock-based Covenant Health, disclosed the breach t weeks ago. According to a privacy notice mailed to patients, patient ePHI was emailed to an external account without a form of encryption. This may have compromised patients' names, member identification numbers, description of their treatment, procedure codes, authorization numbers, and treating provider names, FirstCare said.

According to the notice, the issue stemmed from an automated daily report containing medical requests that was routinely emailed and did not require previous authorization. Judging by the notice, it sounds as if the email was sent to an unintended recipient beginning on March 22, 2017; this continued until August 16, a day after the healthcare plan's IT team discovered it was still being sent to the individual.

FirstCare has no proof the individual accessed or misused the data but as potentially sensitive healthcare data, including information on patient treatments, was exposed, it elected to recruit the U.S. Federal Government to help carry out an investigation.

The health plan reportedly had mitigations in place, like controls to monitor access, acquisition, use, and disclosure of e-PHI. It's unclear if these mitigations were properly configured however.

FirstCare claims it even had data loss prevention rules in place, something that in most scenarios should have prevented the leakage of data.

Data loss prevention in and of itself can be a challenge however. Having rules in place can’t alone absolve an organization of risk; rules need to be event driven and fine-tuned to fit the risk of an environment. FirstCare claims the report didn’t require previous authorization, something that likely allowed the error to go unchecked all this time. If the report required authorization or if the organization had more strict rules around the emailing of sensitive ePHI in place it's likely it could have saved itself some headaches in the long run.