Johns Hopkins University Applied Physics Laboratory (JHU/APL) Medical and Dental Insurance Plan

Protected health information was attached to an email addressed to 85 employees by a benefits staff member. Within 5 days, all recipients were notified, and the email was deleted. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status. To prevent a similar breach from happening in the future, the covered entity instituted a policy to encrypt emails containing protected health information before it is sent out from the benefits department. Following OCR's investigation, the covered entity updated its policies and procedures establishing a new business process to require that all emails sent by the benefits office to 5 or more staff members that includes an attachment be reviewed by another team member to ensure the proper document is attached and took personnel action with the responsible employee. Further, the benefits office will use an encryption specialist to train all benefits office staff in the proper methods of encryption, explore future capability of automated flagging of any electronic communications sent by benefits office staff containing potentially sensitive data such as 9-digit numbers, and obtain additional HIPAA training.
\
Location of breached information: Other
Business associate present: No