News Feature | October 23, 2014

UC Davis Hack Demonstrates Need For Encrypted Data Security

Christine Kern

By Christine Kern, contributing writer

Government IT News For VARs — December 10, 2014

Patient data must be protected at every stop along the communication highway.

A recent hack of a provider’s email account at the UC Davis Medical Center raises the issue of patient data security in all forms of communication – even email. According to Healthcare IT News, UC Davis officials stated that “patient information may be included in the provider’s email account” after it was discovered a physician’s e-mail account had been targeted by a hacker.

UC Davis sent letters to 1,326 affected patients informing them their protected health information, which was contained on this physician's email account, was compromised. In the letters, Reed explained UC Davis providers communicate via emails for patient care purposes, regarding issues such as upcoming appointments, or patient care exchange for a consultation or referral.

"When this happens, limited amounts of patient information may be included in the provider's email account," Reed explained in the letter.

UC Davis Health System suffered an earlier HIPAA breach in January, when officials there reported an incident following an email phishing scam that compromised the PHI of 2,269 patients.

The HIPAA Security Rule does not strictly prohibit communication via e-mail or other electronic means, so long as the information remains protected. Generally, e-mail communication may include appointment reminders as a part of treatment, although providers should be careful to include only the minimum amount of information needed, and should verify the e-mail address. They should also confirm that the patient wants to receive e-mails.

Incidents like the one at UC Davis serve to underscore the continued important of vigilance when it comes to protecting the integrity of patient data. And they make a solid case for utilizing encrypted data, even in email communications between providers.

Nearly 39 million people have had their PHI compromised in HIPAA privacy and security breaches, involving 500 people or more, according to data from the Department of Health and Human Services. Hacking breaches constitute nearly 10 percent, or 3.7 million people, of all HIPAA privacy and security breaches, according to HHE.