NYC Doctor Mistakenly Leaks Data of 15K Patients - HIPAA Breach!


Ida Siegel of NBC News New York recently reported a story that a Dermatologist's office in SOHO, NYC mistakenly leaked the spreadsheet with sensitive data of 15,000 patients. NBC New York reported that the document was a detailed list of nearly 15,000 names and corresponding addresses, appointment dates and Social Security numbers, all from the office of a dermatologist in Soho. (Published by NBC New York). It seems that the New York doctor's office made a silly but a very serious error by sending out the patient data in an email as attachment. One of the patients who is a victim of data breach told NBC New York that instead of attaching a coupon to an email, a spreadsheet containing patient data was attached and sent to her. When she opened the attachment, she found all the patient data including her husband's.

Check out this video by NBC New York -


Penalties for HIPAA Breaches

The penalties for HIPAA breaches can be severe. There can be huge fines up to $1.5 million, and state attorneys can also take legal action against individuals and corporations found to have revealed or leaked the PHI of state residents. Such a simple mistake could certainly prove to be a very costly mistake!

HIPAA Breach Can Damage Your Reputation Big Time

While the investigation of NYC Dermatologist's data breach is still going on, I decided to see what's happening around the web.

This is what I found in Yelp listing of the NYC Dermatologist -

HIPAA Breach Penalties




And there were few other nasty comments!

You see - it is not only the financial losses but also the patient trust that can go for a toss just because of one silly mistake.

Emails are HIPAA's Biggest Enemy

Medical professionals especially doctors and their staffs have to realize that Emails are the weakest link in all possible HIPAA breaches. Emails are not only insecure but also land into someone else's inbox if there is a typo or incorrect email address - basically in one click you are leaking PHI and conducting a major HIPAA breach!

I was reading a post on TechCrunch few days ago, where the makers of Slack made a very profound statement- Email is a protocol, not a platform. Any email address is inter-operable with any other. As a result, no single company has been able to build a successful network around email. In my opinion, this is also the reason - why healthcare should not be using emails for secured communication, because it is not a platform!!

This very incident of NYC Dermatologist's HIPAA breach is a clear example of how emails can destroy your practice in a flash of a second. All insecure email communication in a medical practice, both internal and external,  are like a ticking time bomb that can demolish your practice any time.

The first and the simplest step that medical practices can take to eradicate HIPAA breach is by simply moving all internal and external communication on a secure healthcare platform.

"I Don't Care About HIPAA!"

Klara is a free secure (HIPAA Compliant) healthcare communication platform. Besides Patient communication, medical professionals also use Klara to connect and communicate with any combination of internal or external Medical Professionals (Physicians, MA, PA, Nurses, Staff etc.) including Pharmacies, Billing and Labs, which means if you are exchanging your patient's insurance related information with your biller on Klara even that is SAFE!

The pity is - every now and then when I speak to several medical professionals or physicians, they seem to take data breaches lightly. Moreover, few of them have said on my face that - they don't care about HIPAA at all. I completely fail to understand why Physicians and their staff are not receptive to the idea of secure communication even when it is offered as a free service.

I started to think - why few medical practices simply do not care about secure communication? One of the reasons could be - clearly there have not been proactive crack downs on medical practices to verify if they adhere to the secure measures required by the HIPAA laws. Sometimes they say - it is one more extra piece of technology in their practice, which may be right, but what if you can have a plug-n-play system such as Klara?

Patients Are Equally Responsible for HIPAA Breaches

Don't get me wrong but patients are equally responsible for HIPAA compliance. Not many patients are aware about data security, which means none of them really demands from their doctors to implement a system to protect their data, this complete situation only instigates little or no response from the medical practices to implement a secure communication channel.

Overall, both the reasons combined point out to the lack of initiative from either medical practice's side or patient's side unless there is a data breach. This has to be a collective effort, the push should come from both sides. Medical practices should proactively adopt to HIPAA complaint platforms and Patients should proactively question the mode of communication between them and their medical practices.

First and foremost patients have to stop emailing medical practices. All patients have to do is - make sure that they are not communicating with their medical practices or hospitals via emails unless it is secure and ensure that every measure is taken to protect any patient data breach. This can't be so difficult, isn't it?

Don't Be a Victim of HIPAA Breach

Data security is at the core of our product at Klara. This is also the reason that doctors and their teams work stress free while we take care of everything else related to data. This is one of the testimonials that we received from a Physician who owns a medical practice -


Now it is your turn -

If you are a Physician, Medical Assistant, Physician Assistant, Case Manager, Pharmacist, Medical Biller or any other Medical Professional, get FREE HIPAA Complaint platform for your entire team here.

If you are a Patient, tell us if you would like to connect with your doctor on a secured communication channel for FREE here.

More Regulatory Details on HIPAA

HIPAA and HITECH Compliance Mandate The HIPAA Security Rule requires medical companies to take care of text messages as part of their risk management strategy. Based on the risk management strategy, the organization must determine the appropriate administrative, physical and technical controls to mitigate the risks of sending PHI via text messaging.