An academic medical center in California is notifying patients of a HIPAA breach after officials discovered a physician's email account had been hacked by an outside source.
University of California Davis Health System has notified 1,326 patients that their protected health information, which was contained on this physician's email account, was compromised. The breach, which occurred at UC Davis Medical Center, was discovered Sept. 26, according to patient notification letters mailed out. The email incident had occurred one day earlier.
"Our IT team has undertaken a review of the event, but the exact root cause of the incident remains unknown. We do not see evidence of a phishing attack," said Shara Merritt Reed, privacy program director at UC Davis Health System, in an emailed statement. "We hesitate to speculate but deduce the credentials were obtained by other means in order to utilize the account."
In a letter mailed to affected patients Reed explained that UC Davis providers use their emails for patient care purposes, specifically, for example, upcoming appointments, or patient care exchange for a consultation or referral. "When this happens, limited amounts of patient information may be included in the provider's email account," she explained in the letter.
This is not the first HIPAA breach for UC Davis Health System. This January, UC Davis officials reported another HIPAA breach, following an email phishing scam that compromised the PHI of 2,269 patients.
To date, nearly 39 million people have had their protected health information compromised in HIPAA privacy and security breaches, involving 500 people or more, according to data from the Department of Health and Human Services.
Breaches involving hacking account for nearly 10 percent, or 3.7 million people, of all HIPAA privacy and security breaches, according to HHS data.