HIPAA Breach Case Study – Storing Information in Email
What Happened?
Starling Physicians based in Rocky Hill, CT reported some of their email accounts had been compromised as part of a phishing attack. As a result, the attacker was able to access patient information including health information, social security numbers, names, addresses, credit card numbers, and passport numbers.
The breach occurred in February 2019. It is unclear when Starling became aware of the breach. They did not notify patients until November 12, 2019. The investigation was concluded on September 12th, 2019.
What Could Have Been Done Differently?
There are a few things that could have been handled differently in this case.
- Its obvious MFA was not set up on individual email accounts. As has been the case in many breaches that we have studied having MFA set up and enforced would have likely prevented the breach
- Not having MFA set up most likely means Starling Physicians does not have a BAA (Business Associate Agreement) with their email provider and/or IT Consultant. This puts your practice at risk. Not having a BAA in place puts the onus squarely on your practice if/when a breach occurs.
- Using email as a long-term storage solution is a big red flag. Why in the world would you store sensitive information in your email?
- This is an educated guess, but I’d be willing to bet that there was also no encryption being used.
The Potential Cost
At this time there is no indication of how many patient records were impacted. According to a Starling Physicians spokesperson, the number is less than .01 percent of active patients. Without that information, it is hard to put a dollar amount on this breach and a potential fine.
The information that was obtained in the breach includes items that could result in Starling Physicians being fined for HIPAA violation, PCI Violations and data breach laws for Connecticut.
You can just about guarantee the OCR will investigate and uncover the lack of a HIPAA compliance program. If that happens then Starling can be fined for all their patient records and not just the ones involved in the breach.
The Lesson
This breach will turn out to be another example of a healthcare practice not taking HIPAA compliance seriously. There will likely be some finger-pointing but in the end, Starling Physicians most likely did not have a HIPAA compliance program.
It’s also likely they did not have an IT consultant who was HIPAA compliant, or they chose the cheapest route when it came to IT.
Here are some things that Starling Physicians should have been doing:
- Use Complex Passwords/Passphrase (Upper, lower, numbers, special characters)
- Educate Your Staff on Social Engineering/Phishing
- Enable MFA
- Encrypt Email
- Do not treat email as a long-term storage solution
- Do not store sensitive information in email (PHI, PII and Credit Card Numbers)
- IT should be qualified and HIPAA compliant
- A HIPAA Compliance Program and a Security Risk Analysis need to be in place
Even if it is just a few patients who were breached it’s likely enough to get the OCR’s attention. Given the little information that is available at this point,it does appear there were at least a few failures in data protection. That indicates the lack of a HIPAA compliance program which would include a security risk analysis.
That could result in a larger fine issued by the OCR.
As I reviewed the information available about Starling Physicians, they do not seem to have a very good reputation overall. A breach could be the nail in the coffin for them. Privacy, Customer Service and Patient Care should all be a core component of any healthcare provider’s culture. That’s what HIPAA is about. It looks like Starling Physicians is failing in this area.