The Lake County Health Department in Illinois made an announcement that it has experienced two data breaches that possibly affected the personal data and protected health information (PHI) of about 25,000 patients.
The first data breach happened in 2019 when a Lake County Health worker routed an unencrypted email message from their email account at work to an internal employee’s personal email. With the email was an attached spreadsheet containing medical record requests from December 2016 until June 2019. The requests were made via a third-party firm that managed the release of data requests on behalf of the Lake County Health Department. The spreadsheet contained the names of 24,241 patients together with dates pertinent to the vendor.
On July 22, 2019, Lake County Health found out about the breach; nevertheless, notification letters were sent to impacted patients only on July 2021. The almost two-year delay was because Lake County Health officers did not think the notification letters were necessary, since no PHI was compromised; but the Department of Health and Human Services did not agree with that analysis and demanded the issuance of notification letters because PHI might have been exposed.
Another data breach was identified on May 14, 2021 that concerned a Google spreadsheet comprising names, birth dates, email addresses, telephone numbers, and 705 individuals’ COVID-19 vaccination status. The spreadsheet was kept in the employee’s personal Google Drive account. Although Google Drive may be HIPAA compliant if used in healthcare in conjunction with other G Suite services, personal Google accounts are not HIPAA-compliant. Google can view the data in personal Google accounts and utilizes that data to offer customized services and adverts. All impacted people were senior citizens who had looked for data on COVID-19 vaccinations. Those people have already received notifications.
Although both privacy incidents ended in the exposure of patient data, Lake County Health mentioned internal risk checks were done and there is no evidence found that suggests unauthorized individuals acquired any exposed information or misused it.
Since the data breach, Lake County Health Department has enforced measures to avoid identical breaches later on, such as encrypting all email messages and improving monitoring.