HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

24,000 Patients Impacted by Emory Healthcare Data Breach

Emory Healthcare (EHC) has discovered a former employee obtained the protected health information of several thousand EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, where it could potentially be accessed by other individuals.

The former employee was a physician at Emory Healthcare, who now works for the University of Arizona (UA) College of Medicine. EHC says patient information was taken without authorization and without its knowledge. EHC was alerted to the incident by the University of Arizona, and received a list of affected individuals on October 18, 2017.

The OneDrive account could only be accessed by the physician, other former EHC physicians now at UA, UA staff who investigated the incident, and potentially a limited number of other UA staff members who had a specific type of UA email account. PHI was not exposed on the Internet and no other individuals are believed to have been able to view the information.

UA hired a third-party forensic team to conduct an investigation, although no evidence was uncovered to suggest patient information was accessed or used in any way. UA has confirmed that all EHC patient information has been permanently and securely deleted from the account and its systems.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

EHC says no Social Security numbers, financial information, addresses, phone numbers, driver’s license numbers, or credit card information was exposed. The data uploaded to the account was limited to names, dates of service at EHC, provider names, medical record numbers, diagnoses, treatment information, treatment locations, and in some cases, dates of birth. The information was largely restricted to patients who had received radiology services at EHC between 2004 and 2014.

EHC is now notifying patients by mail that their protected health information has been exposed, and potentially disclosed. EHC has received no reports to suggest any of the information has been misused; however, as a precautionary measure, patients have been advised to remain vigilant and to take steps to protect themselves against potential fraudulent use of their information.

EHC is now taking steps to prevent incidents such as this from occurring in the future, including enhancing its patient care team education programs and reviewing and improving security measures.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 24,000 patients have been impacted by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.