by John R. Fischer
, Senior Reporter | January 28, 2022
The University of Arkansas for Medical Sciences says a breach perpetrated by a former employee may have exposed the protected health information of 518 patients.
The unidentified woman emailed the information in Microsoft Excel sheets back in November from her UAMS account to her personal Gmail account. UAMS discovered the breach later that month.
In writing, the former employee, who voluntarily left UAMS, said that the email was “an unintentional error on her part” and that she did “not retain or share” any information.
The spreadsheets included hospital account numbers, types of insurance, medical record numbers, dates for patient visits and claims information, as well as some patients’ dates of birth and medications. No credit card, debit card, bank account, address, driver’s license numbers or social security numbers were included, and there were no clinical documents or medical records in the attachments sent in the email, according to the university.
UAMS is notifying patients via mail and on its website, and has filed a police report with the UAMS Police Department. “UAMS takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening,” said Heather Schmiegelow, J.D., UAMS HIPAA privacy officer, in a statement.
Many cybersecurity firms recommend that providers limit access to information to certain figures to avoid the risk of breaches or thefts.
UNC Hospitals in North Carolina recently experienced a breach in September when it found that one of its employees who was responsible for handling payments for services was using patient information for personal financial gain. The former employee had access to patient demographic information, including social security numbers and copies of patient driver’s licenses and insurance cards.
The healthcare system confirmed that the employee used some patients’ demographic and financial information to fraudulently obtain goods or services. It notified 719 patients whose information may have been at risk for identity theft.
UAMS says it has policies and procedures in place to protect the privacy and security of patients’ health information and that all of its employees are required to complete annual HIPAA training each year. This includes learning about employees using and accessing patients’ health information for legitimate, authorized purposes, as well as secure and encrypted email use to communicate such data.Back to HCB News