Sometimes it takes a few breaches before I notice a trend or general issue that I think needs to be addressed. This week, I found myself looking at so many reports of doctors’ e-mail accounts being compromised that I decided the topic deserved a post of its own.
If you do not know what breaches I’m referring to, consider this: in January, Catholic Health Initiatives (CHI), Baylor Health, and KentuckyOne all had doctors at a number of their facilities fall for phishing scams that compromised doctors’ e-mail accounts. The e-mails in those accounts contained unencrypted PHI.
Franciscan Medical Group (part of CHI) notified 8,300 patients, Baylor Health notified 8,480 patients at four of their facilities, and KentuckyOne notified 3,500 patients. That’s a lot of patients who had PHI exposed and potentially misused because doctors had unencrypted PHI in emails stored on their computers or on the health systems’ servers.
And then today, we learned that CHI had a second breach this year involving doctors’ e-mail accounts. This time, CHI itself was the victim of DNS hijacking and the attacker was able to redirect all e-mails addressed to the catholichealth.net domain – the domain that hosted the mail server for doctors.
In a complaint it filed in federal court against the “John Doe” Hacker, CHI did not provide an actual estimate of how many e-mails from other doctors, laboratories, or patients had been redirected between March 25 and March 30, but they estimate that it was a lot. And as I noted in my post about that breach, it’s not clear to me whether all those e-mails were deleted from their server, which would mean that potentially a lot of patients had PHI exposed or compromised, but CHI may have no way of knowing who to notify or what PHI was involved.
So should hospitals and health systems allow doctors to have unencrypted PHI in their e-mail accounts?
Baylor Health declined to discuss their policy with PHIprivacy.net, saying that they do not discuss their internal security policies. They may not discuss them with us, but I think we should discuss them – theirs and the many others who may leave PHI at risk of doctors falling for phishing scams or DNS hijacking.
Given that we’ve already had tens of thousands patients’ PHI exposed or compromised by attacks on doctors’ e-mail accounts already this year, might this be a good time for HHS to publish some guidance or a reminder about protecting PHI in e-mails?