The sending of three emails including personally identifiable information of patients between October 2012 and February 2013 has led the Regional Medical Center in Memphis (the MED) to report a health data breach, according to a public notice issued by the healthcare organization on May 9, 2013.
The details from the notice are sparse. The organization determined on March 15, 2013, that three emails were sent on Oct. 29, 2012; Nov. 1, 2013; and Feb. 4, 2013. Each contained some protected health information (PHI) of patients receiving outpatient physician therapy treatment between May 1, 2012, and Jan. 31, 2013. The information comprising this PHI included the following items:
• patient’s name,
• patient account number,
• date of birth,
• Social Security number,
• home phone number, and
• type/reason for PT services
The MED is asking that patients who received services during the aforementioned period of time and have not received a notification letter contact the organization for more information by phone: (855) 716-3627 for more information. The Memphis-based organization does not believe that any PHI has been misused or that information has been disclosed inappropriately although it is offering a year’s worth of free credit monitoring to those potentially affected by the improper disclosure.
A report by WREG’s Adam Hammond puts the figure of potentially patients at 1,200. The MED told WREG that a list of patient medical records were “accidently attached” to an email and sent.
In a copy of the patient notification letter acquired by WREG, the MED has indicated that is working “closely with the company that received the emails, and it is believed the emails were deleted and not further used or disclosed at the time of the incident.” The company receiving the information in error has not been identified.
Likewise, the MED has deemed the health data breach as “innocent” blunder by an employee:
The medical center believes this was an innocent employee mistake and has not received any indication that patient information has been used or further disclosed in an inappropriate manner by anyone. However, in an abundance of caution, the medical center is notifying affected patients of this incident by letter and has retained a specialty firm to provide one year of free credit monitoring services to affected patients. While the medical center maintains a robust privacy and security compliance program, it also has taken internal steps to help ensure this does not happen again.
The MED could not be reached for comment at the time of publishing this report.