Washington University School of Medicine reported patient data access breaches recently as an unauthorized person accessed an employee’s email account in the major academic medical center’s Division of Oncology. The School of Medicine, following protocol, secured the employee’s account and contracted a leading computer forensic firm to assist with the investigation. The accessed emails included patient identified information (e.g. date of birth patient record number, diagnoses, social security number).
Of course, this preeminent institution directly acted, contacting patients, establishing a call center to answer questions and even offering credit monitoring services for those patients whose social security numbers were potentially accessed. Additionally they recommended that patients whose records may have been reviewed actually more carefully review forthcoming insurer statements.
Washington University School of Medicine undoubtedly are reviewing their HIPAA handbooks and general security and patient privacy/data protection policies and procedures for retraining or as they noted “reinforce education” with staff on how to identify and avoid suspicious emails while also immediately taking additional security measures to its email environment. And here is the problem. No employee at an academic medical center (or any health provider) should be using standard email for transmitting personally identifiable patient information. Rather, any communications involving this class of information should be done via a more secure system.
Major academic medical centers such as Washington University are of course health providers but also major research centers—hence “sites” for purposes of clinical research. The same patients whose records must be carefully guarded are also potential participants aka “subjects.” Patient security and ultimately trust is of the utmost importance. We commend the university for acting swiftly to move to mitigate this situation—disclosing and dealing with it—but it is also a cautionary tale. If there is one such opening or vulnerability than there are others. As a pandemic rages, criminal hacking and phishing operations are at work to capitalize on the data bonanza.