- After an emailing error, the University of Cincinnati Medical Center has announced a health data breach potentially compromising the PHI of 1,064 individuals.
Starting in 2014, the medical center experienced nine incidents of emailing private patient information to the wrong email address, according to a hospital statement. While the hospital reportedly intended to send the emails to employees within the hospital network, UC Health workers swapped two letters in the domain name, thus inadvertently sending the emails to someone potentially not within the hospital system. UC Health discovered this error on September 16, 2015.
The information compromised in this incident includes patient names, dates of birth, medical record numbers, dates of services, physician names, and diagnosis information. UC Health did not report the disclosure of any Social Security numbers or other private financial information.
Although the email mistake did not disclose any financial or billing information, nor does UC Health have any reason to believe the information has been misused, hospital officials still encourage potentially affected individuals to open a fraud alert on their credit cards and to enlist the services of a credit monitoring agency.
UC Health will also send notification letters to all potentially affected individuals. Furthermore, UC Health has created a block on any emails sent to that domain name in the future.
UC Health expressed regret for the incident and emphasized its commitment to protecting private patient information.
“UC Health takes very seriously our role of safeguarding the personal information of our patients and using it in an appropriate manner and we apologize for any concern or inconvenience this situation may cause,” the hospital said in a statement.
Health data security breaches as a result of improper emails have been a recurring trend in the healthcare space. Earlier this year, a PHI data breach occurred at Nephropathology Associates, PLC in Arkansas.
As reported by HealthITSecurity.com, an email including PHI and de-identified information was sent a hospital vendor. Although the email was reportedly sent to the correct recipient, the PHI was not supposed to be included. The vendor was immediately told to destroy all copies of the email and the PHI attachments, and the vendor replied with written assurance that the information had indeed been destroyed.
Potentially disclosed information included patient names, ages, Nephropath accession numbers, referring physicians, and pathology diagnoses. Just as in the UC Health breach, no Social Security or other billing information was included.
In the wake of the incident, Nephropathology Associates assured its customers that it was reinforcing its security efforts and training.
“As a result of this incident Nephropath is reviewing its policies and procedures to protect against future incidents of this nature,” the healthcare provider stated. “As part of this process we will be providing additional training to our workforce and the responsible employee.”