In Illinois Lake County Health Department has revealed that it has been impacted by two separate data breaches that could have impacted the protected health information (PHI) of approximately 25,000 patients.
The initial breach took place, when a Lake County Health staff member broadcasted an unencrypted email from their staff email account to the personal account of a co-worker during 2019. Included in the email had been a spreadsheet that listed the medical record requests made during the time period from December 2016 to June 2019. An external company has processed the requests that were related to Lake County Health Department release of information requests. The spreadsheet listed the identity of 24,241 patients along with details of appointments with the vendor.
The breach was first spotted by Lake County Health on July 22, 2019; however, it was not until July 2021 that notification letters were issued to patients who may have been impacted. Lake County Health officials stated that this delay was permitted to take place as they were of the opinion that they were not required as no personal health information had been affected during the breach.
Despite this, the Department of Health and Human Services stated that they were not in agreement with this assertion. It confirmed that notification letters should have been to be issued as PHI may have been infiltrated as part of the potential HIPAA breach.
On May 14, 2021 another data breach was identified when a Google spreadsheet was discovered which listed the names, birth dates, emails contact details, phone contact details, and the COVID-19 vaccination status of 705 Lake County Health clients. This list has been held in a staff member’s personal Google Drive. While it is true that Google Drive can be used in a HIPAA-compliant fashion, along with other G Suite services, personal accounts cannot be used in a HIPAA-compliant manner. This is due to the fact that Google will be able to access any data that is located in personal Google accounts. This access is possible as Google creates targeted services and adverts based on the data that has been saved. In case the spreadsheet contained lists of seniors that had made contact in relation to queries related to COVID-19 vaccinations. Lake County Health has now informed all impacted individuals of this potential breach of their PHI.
In both of these incidents patient data was exposed. Responding to this, Lake County Health stated that internal risk assessments had been completed and there was no proof found to suggest that impacted data had been accessed/stolen by unauthorized individuals or improperly used.
Since the breach was discovered, Lake County Health Department has configured additional security solutions and administrative processes to ensure that breaches like this are prevented going forward. Some of the new features include email encryption and additional monitoring measures.