Email gaffe begets Memphis data breach
May 13, 2013 in Medical Technology
The Regional Medical Center in Memphis is notifying patients of a HIPAA breach after an employee sent out three unsecure emails containing the protected health information and Social Security numbers of nearly 1,200 patients.
The incident occurred between Oct. 29 and Nov. 1, 2012, but according to a hospital notification, the incident wasn’t discovered until March 15, 2013. The unsecured emails included patients’ names, Social Security numbers, dates of birth, account numbers, phone numbers and outpatient physical therapy services data.
[See also: Slideshow: 10 biggest HIPAA breaches of 2012.]
“The medical center has been and will continue to work closely with the company that received the emails, and it is believed the emails were deleted and not further used or disclosed at the time of the incident,” the notification read. “The medical center believes this was an innocent employee mistake and has not received any indication that patient information has been used or further disclosed in an inappropriate manner by anyone.”
Since the August 2009 Breach Notification Rule requiring that HIPAA-covered entities provide notification following a breach involving 500 patients or more, more than 1.2 million patients in Tennessee have had their protected health information compromised.
[See also: Stanford reports fourth HIPAA breach.]
In one of the biggest HIPAA breaches to-date, Blue Cross Blue Shield of Tennessee reported stolen in 2009 57 unencrypted computer hard drives containing the protected health information of more than one million patients. BCBST paid over $6 million for additional data encryption and spent nearly $17 million for protection, investigation and member notification. They also were required to pay an additional $1.5 to the Department of Health and Human Services.