Share this article on:
Emory Healthcare (EHC) has discovered a former employee obtained the protected health information of several thousand EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, where it could potentially be accessed by other individuals.
The former employee was a physician at Emory Healthcare, who now works for the University of Arizona (UA) College of Medicine. EHC says patient information was taken without authorization and without its knowledge. EHC was alerted to the incident by the University of Arizona, and received a list of affected individuals on October 18, 2017.
The OneDrive account could only be accessed by the physician, other former EHC physicians now at UA, UA staff who investigated the incident, and potentially a limited number of other UA staff members who had a specific type of UA email account. PHI was not exposed on the Internet and no other individuals are believed to have been able to view the information.
UA hired a third-party forensic team to conduct an investigation, although no evidence was uncovered to suggest patient information was accessed or used in any way. UA has confirmed that all EHC patient information has been permanently and securely deleted from the account and its systems.
EHC says no Social Security numbers, financial information, addresses, phone numbers, driver’s license numbers, or credit card information was exposed. The data uploaded to the account was limited to names, dates of service at EHC, provider names, medical record numbers, diagnoses, treatment information, treatment locations, and in some cases, dates of birth. The information was largely restricted to patients who had received radiology services at EHC between 2004 and 2014.
EHC is now notifying patients by mail that their protected health information has been exposed, and potentially disclosed. EHC has received no reports to suggest any of the information has been misused; however, as a precautionary measure, patients have been advised to remain vigilant and to take steps to protect themselves against potential fraudulent use of their information.
EHC is now taking steps to prevent incidents such as this from occurring in the future, including enhancing its patient care team education programs and reviewing and improving security measures.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 24,000 patients have been impacted by the breach.