UC Davis Suffers HIPAA Breach After a Physician’s Email Account is Hacked
On Sept 25, 2014, the protected health information of over a thousand patients fell into the hands of an offsite hacker.
Currently, the UC Davis IT team has not been able to identify the exact cause of the incident, but the breach did not appear to be the result from a phishing email or other PC virus installation. The most likely cause of this breach was from a compromised password, which could have been obtained by answering security questions, brute force, guessing, or by a hospital employee with knowledge of the password.
This is the second UC Davis HIPAA breach this year
In January, over two thousand patients had their information compromised due to a phishing scam – this is where a bogus email is sent with a link whose purpose is to install spyware or keyloggers. It is interesting to note that both of these breaches occurred through some form of email delivery.
While UC Davis has a robust security plan on patient data, it is important to note that employees and physicians can still override these security measures – this exemplifies why regular HIPAA training is a mandatory component of the law. That said, it is also worth noting that employees and physicians should take these requirements seriously and protect their passwords by changing them regularly, and comply with complexity requirements.
The PHI involved was not encrypted
Our recommendation at dmi Networking is to encrypt PHI over email. This practice encrypts any message stored in the “Sent” folder, but still requires a keen eye on a recipients inbox for PHI that is sent to them unprotected. For this, our recommendation is to get these free-text emails off of the email server, and onto an encrypted folder or USB drive to reduce the exposure of patient data.
Password requirements are worth the headache
The current state of healthcare involves a multitude of passwords which all meet complexity requirements, and can only be in use for a short time. Although this can create a headache for staff, this UC Davis HIPAA Breach illustrates the need for these protocols. Keeping in mind that we don’t know the exact nature of how the password was retrieved by the hacker, we can say that the incident probably could have been avoided with more training or an extra set of security measures.
Data security is non-negotiable
Security protocols on PHI are strict, and can require extra time in order to go through the procedures for protecting patient data. There are, however, many automated systems that can be used to reduce some of the end-user requirements. Encryption, for example, can be implemented in the background by using a third party software or service.
If automated systems are not in place to encrypt and protect patient data, then the responsibility falls on the keeper of the PHI. It is not advisable to side-step any security requirements due to a time constraint. If time is truly a constraint, then the recommendation is to subscribe to a service that takes care of security for you. If you are looking for such a service, you can contact our data security and dental IT experts, or shop around for a good fit for your needs. Above all, whatever company you choose to provide this service to you, make sure they have a legally binding Business Associate Agreement so that you know HIPAA compliance is high on the service provider’s priority list.