Covid-19 Test Result Leak Spotlights Email Security Risks

More than 200 people breathed a sigh of relief when they received an email from the city of Los Angeles with their negative Covid-19 test results.

But there was one problem. City staff accidentally sent out a mass email without blind copying the recipients. That meant each patient had one another’s email address.

The incident highlights the potential security risks that emailed test results pose as governments and industry struggle to combat the coronavirus pandemic.

“In a public health crisis, like the one we are in now, the right to privacy has to be balanced against the need to protect the public’s interest and safety,” Jessica B. Lee, a partner and co-chair of the privacy, security, and data innovations group at Loeb & Loeb LLP in New York, said.

“This doesn’t mean that privacy gets tossed out of the window,” she said.

Mayor Eric Garcetti’s office told Bloomberg Law that on March 27, it sent a message to the 216 email recipients about the error.

“We apologize for this error, have alerted the recipients of the March 26 email and have revised the protocols associated with all notifications of this type to protect against any future disclosures,” the office said.

Email Security

Sending patient test results and other health data has become a preferred method of communication. But in emergency situations such as now, health-care providers still need to be mindful of privacy and security concerns, attorneys and health-care advocates warn.

Privacy is still at risk, they say, even though the Department of Human and Health Services has relaxed certain rules to make it easier for covered entities and business partners to share patient health information needed to combat Covid-19.

Emails used to send sensitive health data are only as secure as the sender’s email server, according to Dawn Barry, the president and co-founder of data-sharing platform LunaPBC. So establishing a safer technology to dispatch the information is necessary moving forward, she said.

“Communication via a platform that has a system like two-factor authentication would be a smart way to report test results, whether there’s a health privacy rule exemption or not,” Barry said. “You need to make sure you’re communicating to the person you intended and only to them.”

While a better communication method is important during these times, the middle of a pandemic isn’t the best time to implement it, Axel Wirth, a chief security strategist at health care security firm MedCrypt, said.

“I find email, from a security perspective, is not up to what we need today for communication of confidential information,” Wirth said. “Once this is over though, should we look back and say, ‘Do we need a better pandemic reporting system?’ Yes. But, is this the time to build it? Probably not.”

Privacy Obligations

In the latest move to ease privacy rules, the HHS’s Office for Civil Rights loosened regulations April 2 under the Health Insurance Portability and Accountability Act to let business partners of hospitals and doctors share patient health data, as long as those entities are acting in good faith.

But that guidance doesn’t mean entities can forgo certain health security provisions, which are in place to ensure patient data is secure when transmitted to public health authorities, said Ed Simcox, chief strategy officer at LifeOmic and former HHS chief technology officer and acting chief information officer.

Health-care providers are still obligated to notify patients when their health data has potentially been released to the general public, despite the HHS’s eased rules, according to Linda A. Malek, chair of the health-care and privacy and cybersecurity practice groups at Moses & Singer LLP.

“Once the information is out there, then you do have a situation where, depending on the numbers, you have possibly a reportable breach.” Malek said. “It’s not just a HIPAA issue. It’s also—depending on what information is included—could become a state law data privacy breach as well.”

Companies that handle health data in California, for example, have to comply with the California Confidentiality of Medical Information Act.

Those companies must keep any personally identifiable information, such as email addresses and names, that comes from health-care providers, health plans, pharmaceutical companies, or contractors concerning a patient’s medical history, mental or physical condition, or treatment, confidential, according to the law.

Permanent Changes

Errors made and lessons learned during the coronavirus pandemic could help the health tech industry develop more secure patient portals for emergency situations moving forward, attorneys said.

Whether the pandemic results in an upgrade to the outdated privacy rules under HIPAA is yet to be seen, however, Malek said.

“If anything changes under certain HIPAA provisions, it might be that those kinds of provisions are modified to anticipate that something like this may happen again,” she said. “Rather than having OCR issue on-the-spot guidance and loosening them, they’ll have anticipated it and it’ll be part of new regulation.”

But at least on the industry side, the coronavirus could ultimately change how the health-care sector thinks about data.

“Perhaps this is a way to rethink from an innovation point of view. Should we be storing all this sensitive information in these health-care systems in a way that it’s attached to names and social security numbers? We should probably think about breaking that up into different databases,” Barry said.

“I think these email routes of giving back test results are probably just because we’re in a state of emergency, but perhaps we’ll use the established infrastructure that we create during this time to do better going forward,” she said.