UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service

The Lubbock, TX-based medical group UMC Physicians is alerting patients of UMC Southwest Gastroenterology that some of their protected health information has been exposed as a result of errors of judgement by two of its employed providers.

Those providers had each set up a Google shared drive which was used to track follow up tasks related to the provision of care to patients. While the shared drives were set up with good intentions and were intended to help improve the care provided to patients, the providers used an unapproved cloud storage solution and patient data was inadvertently stored on an unsecured network.

UMC Physicians discovered the policy violation on March 12, 2019 and launched an investigation to determine which patients’ protected health information had been exposed. During the course of that investigation, UMC Physicians determined that one of the providers had also been forwarding emails containing patient information to an unsecured Gmail account.

The types of information that had been stored on the unsecured network and emailed to the Gmail account included names, addresses, telephone numbers, medical record numbers, dates of birth, dates of service, health insurance carriers, diagnoses, and medical procedures performed. Highly sensitive information such as Social Security numbers, insurance policy numbers, and financial information were not exposed.

In response to the discovery, UMC Physicians has provided additional training to employees on the use of approved cloud storage solutions and technical controls will be implemented to prevent unauthorized cloud storage solutions from being used in the future.

No evidence has been found to suggest patient information has been accessed by unauthorized individuals nor have any reports been received to indicate there has been misuse of patient information. All patients whose protected health information has been exposed have been notified of the breach by mail.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of 3,300 patients was exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.