Knowing what constitutes Protected Health Information (PHI) and how this data could be exposed to risk is critical for health organizations that want to safeguard their patients. A sophisticated hack isn't the only way to put this data into the wrong hands, as something as simple as a phishing email could make sensitive identifiers easier to access.
St. Vincent Medical Group in Indiana recently reported that it was the subject of an email phishing scam this past December. An employee was the victim of a phishing email that may have put around 760 patients at risk. The organization emphasized that individual records were not accessed, and said it is offering identity protection for affected victims who may have had their Social Security Numbers exposed.
Even though the email username and account password of the "phished" employee was immediately "shut down," the center said that account numbers and demographic data are among the information possibly compromised.
What this shows is that clicking an infected link in an email may still be a practice that endangers patient privacy and leaves hospitals liable. In a recent article for Wired, Kim Zetter said that phishing emails on average take one minute and 20 seconds to affect a business, as a Verizon Breach Investigations Report states.
Because something this serious could take place in a short span of time, medical entities can take precautions to make sure patient identifiers won't be made vulnerable. HIPAA has specific rules dictating what is and isn't PHI, and confusing the different scenarios will also lead to misunderstanding of what can be done to successfully "de-identify" this data. Responding to HIPAA violations is easier with professional guidance from experienced consultants that can highlight weak spots in a practice's current strategy.