Unsecured emails trigger breach at Memphis medical center

By Erin McCann
11:18 AM

The Regional Medical Center in Memphis is notifying patients of a HIPAA breach after an employee sent out three unsecure emails containing the protected health information and Social Security numbers of nearly 1,200 patients.

The incident occurred between Oct. 29 and Nov. 1, 2012, but according to a hospital notification, the incident wasn't discovered until March 15, 2013. The unsecured emails included patients' names, Social Security numbers, dates of birth, account numbers, phone numbers and outpatient physical therapy services data. 

"The medical center has been and will continue to work closely with the company that received the emails, and it is believed the emails were deleted and not further used or disclosed at the time of the incident," the notification read. "The medical center believes this was an innocent employee mistake and has not received any indication that patient information has been used or further disclosed in an inappropriate manner by anyone."

[See also: 3 lessons on risk: What higher ed can teach health IT.]

Since the August 2009 Breach Notification Rule requiring that HIPAA-covered entities provide notification following a breach involving 500 patients or more, more than 1.2 million patients in Tennessee have had their protected health information compromised. 

In one of the biggest HIPAA breaches to-date, Blue Cross Blue Shield of Tennessee reported stolen in 2009 57 unencrypted computer hard drives containing the protected health information of more than one million patients.  

BCBST paid over $6 million for additional data encryption and spent nearly $17 million for protection, investigation and member notification. The organization was also required to pay an additional $1.5 to the Department of Health and Human Services.

Related articles:

OHN's health IT best practices: Credentialing and privileging

Q&A: Mac McMillan explains why IT security grows more complex

Healthcare IT News slideshow: 10 biggest HIPAA breaches of 2012