The employee of a major health care provider sent a business partner a spreadsheet containing protected health information (PHI), in the form of names, account numbers, and health data for thousands of patients. Rather than using the normal method of sending such information through a secure data transfer site encrypted with Secure Socket Layer (SSL) technology, the employee sent the information via company email, but the company’s Data Leak Protection software did not detect any security issues. The business partner, now upset, claimed the data had arrived “in the clear” in violation of Health Insurance Portability and Accountability Act (HIPAA) Security Rules. The privacy officer and in-house counsel for the health care company hired Stroz Friedberg to investigate the allegation.
Stroz Friedberg’s examiners first analyzed the email at issue, as well as corresponding follow-up emails among the parties to make sure that the potential problem had not spread. We then interviewed a host of relevant people: managers from both the sending and receiving parties, members of each company’s IT department, and the business partner’s spam filtering company. Along the way, we collected detailed email traffic data for forensic analysis and mapped the course of the email through each network gateway as it travelled cross-country.
Stroz Friedberg discovered that the health care provider, by default, sent messages over the Internet using a secure connection encrypted with Transport Layer Security (“TLS”), a setting known as “default TLS.” This setting creates an encrypted TLS channel if the recipient email server is configured to accept TLS. In fact, the email headers and log files showed that the problematic email went through this encrypted channel, travelling all the way from the health care provider’s site to the recipient’s own email servers.
The healthcare provider was relieved that it would not have to report a potential data breach to government authorities and thousands of individual victims. But our client also wanted to allay the concerns of its business partner, so they had us issue and explain a comprehensive report to the business partner’s managers and IT staff. At the conclusion of the case, Stroz Friedberg successfully alleviated all concerns and recommended improved email security protocols with the healthcare provider itself.