Examples of HIPAA Email Violations

It is easy to find clear examples of HIPAA email violations in the archive pages of HHS’ Breach Portal, but many more types of data breach have an email element. Unfortunately, due to a lack of transparency and accuracy in breach reporting, it is not possible to get a clear picture of HIPAA violation email examples – making it difficult for HIPAA-regulated entities to implement effective prevention measures.

Since the passage of the HITECH Act, HHS’ Office for Civil Rights has been required to maintain a publicly accessible Breach Portal on which all HIPAA data breaches affecting 500 or more individuals are listed. The Breach Portal is divided into two sections – “Breaches Currently under Investigation” and “Archive”. Both sections can be filtered by breach type and breach location, and viewed online or exported in various formats for analysis and review.

Most archived HIPAA data breaches also include a web description explaining how the breach occurred, the type(s) of PHI breached, and what action the breached entity took following the event. By filtering the archive for breaches in which the breach location was “Email” and exporting the output in CSV format, it is possible to identify the causes of more than one thousand HIPAA data breaches in which an email element existed.

HIPAA Training for Employees

Examples of HIPAA Email Violations

Whether the output represents more than one thousand examples of HIPAA email violations is questionable due to a lack of transparency. For example, the majority of data breaches in which an email element exists are attributable to an interaction with a phishing email. Many web descriptions fail to note whether HIPAA training was provided after the event – which would imply the breach could have been avoided with more effective training.

Most other data breaches in which an email element existed are clear examples of HIPAA email violations. Among the most common examples of HIPAA email violations are:

  • Misdeliveries – emails being misaddressed and sent to incorrect recipients.
  • Insider Theft – employees emailing PHI to personal accounts.
  • Lack of Encryption – plain text emails being transmitted over public services.

Relevant to these examples of HIPAA email violations is Verizon’s Data Breach Investigations Report (DBIR). In the latest edition of the Report (DBIR 2024), Verizon suggests that – overall – 68% of data breaches include a “human element”. However, in its analysis of healthcare data breaches, Verizon increases the percentage to 83% due to misdeliveries and other miscellaneous errors, privilege misuse, and unspecified “gaffes”.

HIPAA Violation Email Examples and Caveats

When reviewing HIPAA violation email examples that have been exported from HHS’ Breach Portal, there are a number of caveats attached. The first is that  HHS’ Breach Portal only lists breaches affecting 500 or more individuals. This represents <1% of all breaches notified to HHS’ Office for Civil Rights each year. For example, in 2022, 64,592 HIPAA data breaches were notified to HHS’ Office for Civil Rights. Only 626 affected 500 or more individuals.

The second caveat is that the data in HHS’ Breach Portal is uploaded by breached entities – not by HHS’ Office for Civil Rights. In many cases, breached entities may attempt to disguise how a breach occurred in order to mitigate the threat of a civil lawsuit. Although HIPAA does not have a private right of action, several civil lawsuits based on state laws have been filed against HIPAA covered entities based on information uploaded to the Breach Portal.

Breached entities can also lack accuracy when uploading information to HHS’ Breach Portal. For example, several HIPAA violation email examples included in the “Email” category are attributable to the loss or theft of a device, while some misdelivery events are miscategorized as “Unauthorized Access” to a “Network Server”. Miscategorized HIPAA data breaches naturally do not appear on a list of data breaches that has been filtered for “Email” events.

Implementing Effective Prevention Measures

The lack of transparency and accuracy in data breach reporting makes it difficult for HIPAA-regulated entities to implement effective prevention measures. The difficulty is increased by many sources suggesting adding more security solutions is the answer – despite phishing simulation software, data loss prevention software, and email encryption software having been available since before HHS’ Office for Civil Rights launched the Breach Portal.

Possibly the most effective prevention measure is workforce training. However, rather than repeat generic security training, HIPAA regulated entities should focus on security training that discusses why PHI is target by cybercriminals and the real consequences of healthcare data breaches in terms of operational disruptions, medical identity theft, and the impact on the timeliness and quality of care while recovering from a data breach.

Discussing these topics in the context of the examples of HIPAA email violations mentioned above could prompt workforce members to think twice before interacting with a phishing email or take more care when sending emails. It could also mitigate the threat of insider theft. HIPAA regulated entities who would like to know more about security training of this nature are advised to speak with an independent HIPAA compliance professional.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/