HIPAA Breach Case Study – Storing Information in Email FB

HIPAA Breach Case Study – Storing Information in Email

What Happened?

Starling Physicians based in Rocky Hill, CT reported some of their email accounts had been compromised as part of a phishing attack.  As a result, the attacker was able to access patient information including health information, social security numbers, names, addresses, credit card numbers, and passport numbers.

The breach occurred in February 2019.  It is unclear when Starling became aware of the breach.  They did not notify patients until November 12, 2019.  The investigation was concluded on September 12th, 2019.

What Could Have Been Done Differently?

There are a few things that could have been handled differently in this case.

  1. Its obvious MFA was not set up on individual email accounts. As has been the case in many breaches that we have studied having MFA set up and enforced would have likely prevented the breach
  2. Not having MFA set up most likely means Starling Physicians does not have a BAA (Business Associate Agreement) with their email provider and/or IT Consultant. This puts your practice at risk.  Not having a BAA in place puts the onus squarely on your practice if/when a breach occurs.
  3. Using email as a long-term storage solution is a big red flag. Why in the world would you store sensitive information in your email?
  4. This is an educated guess, but I’d be willing to bet that there was also no encryption being used.

email breach leads to patient record compromiseThe Potential Cost

At this time there is no indication of how many patient records were impacted.  According to a Starling Physicians spokesperson, the number is less than .01 percent of active patients.  Without that information, it is hard to put a dollar amount on this breach and a potential fine.

The information that was obtained in the breach includes items that could result in Starling Physicians being fined for HIPAA violation, PCI Violations and data breach laws for Connecticut.

You can just about guarantee the OCR will investigate and uncover the lack of a HIPAA compliance program.  If that happens then Starling can be fined for all their patient records and not just the ones involved in the breach.

The Lesson

This breach will turn out to be another example of a healthcare practice not taking HIPAA compliance seriously.  There will likely be some finger-pointing but in the end, Starling Physicians most likely did not have a HIPAA compliance program.

It’s also likely they did not have an IT consultant who was HIPAA compliant, or they chose the cheapest route when it came to IT.

Here are some things that Starling Physicians should have been doing:

  • Use Complex Passwords/Passphrase (Upper, lower, numbers, special characters)
  • Educate Your Staff on Social Engineering/Phishing
  • Enable MFA
  • Encrypt Email
  • Do not treat email as a long-term storage solution
  • Do not store sensitive information in email (PHI, PII and Credit Card Numbers)
  • IT should be qualified and HIPAA compliant
  • A HIPAA Compliance Program and a Security Risk Analysis need to be in place

This breach hasn’t even made it to the HIPAA Wall of Shame…yet.  They are almost two weeks behind so I would imagine it will unless it is a very small number of patient records involved.

Even if it is just a few patients who were breached it’s likely enough to get the OCR’s attention.  Given the little information that is available at this point,it does appear there were at least a few failures in data protection.  That indicates the lack of a HIPAA compliance program which would include a security risk analysis.

That could result in a larger fine issued by the OCR.

As I reviewed the information available about Starling Physicians, they do not seem to have a very good reputation overall.  A breach could be the nail in the coffin for them.  Privacy, Customer Service and Patient Care should all be a core component of any healthcare provider’s culture.  That’s what HIPAA is about.  It looks like Starling Physicians is failing in this area.

HIPAA Breach Case Study – Storing Information in Email pin

 

 

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Join the discussion 21 Comments

  • Amber Myers says:

    Oh dear, this would stink. I always worry that my info will accidentally get out there. I mean, my husband is military and his social security has been compromised, which is so not cool.

  • This is scary stuff. There seem to be a lot of red flags that they didn’t take the time to think about. Hopefully going forward they will be on top of it and not too many people’s info has gotten out.

  • Yes, it continues to be important to use really strong passwords as well as other forms of authentication in an environment that requires that extra layer of safety. It is important to remember that all these security and compliance programs are manmade so it only takes another human to figure it out. Therefore it is never 100% secure.

  • All that is created by man alas is therefore corruptible, the levels of security more than ever must be important.

  • Joanna says:

    Employees should always be briefed about phishing and online security. There should be yearly seminars in which they should be reminded what is ok and what is not. A simple click on a phishing link can lead to such a mess.

  • Oh gosh you need to be SO CAREFUL these days. Thanks so much for sharing this with us!

  • Nyxie says:

    I am always concerned about my information leaking. This is a nightmare situation for me and, possibly, for them too. It’s a breach of GDPR, if I’m not mistaken.

  • Agnes says:

    The thing that scares me most is my information landing in the wrong hands. It must be traumatizing for the patients involved, and this should scare all of us even if we are not involved at this moment.

  • Cris says:

    This is so scary! Leaking information is always dangerous, and we should all do our best to prevent that.

  • Tara Pittman says:

    So much scamming these days. You do have to be careful about doing things online.

  • I read about this a couple of months ago, and this is definitely serious. We are talking about information that should be kept confidential at all times. It’s important to keep learning of ways to protect our information and the information of others when we work with sensitive data. Thanks for sharing!

  • Philomath says:

    I have read a couple of articles that talk about scamming in 2019 but it seems so scary as it really includes some personal information. I just hope it will stop and we should be careful.

  • Cindy Nico says:

    This has happened to my family and we had to take drastic measures to make it stop. They got into my sons banking account.

  • Myrah Duque says:

    Yikes! I worry every single day of my information landing in someone’s hands. My daughter is doing her Master’s degree in Cyber Security so she can help others.

  • Lyosha says:

    Sounds very useful! The way information is presented is a key to better understanding one other

  • The idea that my information would get into the wrong hands really scares me. We all have a duty to be careful with information online especially. Thanks for the info here.

  • I think it’s still to easy to assume your system is protected, but when you are handling sensitive information, you need to make sure your systems are HIPAA compliant. It’s too for hackers to hack these days.

  • Christine G says:

    I have been guilty of many of the cautionary bullets you highlight in this post. Worst of all is how much I rely on the important I keep in my email. You brought important issues to light and raised awareness on things for which we should all take caution.

  • Ceci Rey says:

    It is scary to think that someone can find out your personal information from a place you trust. It teaches you to protect yourself in all different ways, Thanks for the information!

  • Just like everybody is saying… It also scares me each time i think of the possibility of any of my account being hacked but it seems like a norm across all platform. But the question is, can this be prevented in totality if yes how..

Leave a Reply