University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years

Share this article on:

University of Iowa Health Care has discovered patient information has been accidentally exposed on the Internet for a period of around 2 years. The exposed data was limited and did not include any clinical data, financial information or Social Security numbers, only patients’ names, admission dates and medical record numbers. 5,292 patients of University of Iowa Hospitals and Clinics have been impacted by the incident.

The data were saved in unencrypted files which were inadvertently posted online via an application development website. The data were accessible via the Internet since May 2015, with the error discovered on April 29, 2017. UIHC spokesperson Tom Moore said the tip off came from “An individual who is an expert on online security.” The tip off prompted an immediate and thorough investigation. University of Iowa Health Care acted quickly to mitigate risk, with the files deleted from the website on May 1, 2017.

The investigation did not uncover any evidence to suggest any information was misused, and while the exposed data were extremely limited, University of Iowa Health Care has advised all affected individuals to follow good practices and monitor for any data misuse including checking Explanation of Benefits statements from health insurers for signs of suspicious activity. All affected individuals have now been notified of the security incident by mail, with the breach notification letters sent on June 22. It would not appear that any information was copied. Moore said “To our knowledge, the files had limited views.”

The data breach prompted University of Iowa Health Care to conduct a thorough risk assessment to identify vulnerabilities that could threaten the confidentiality, integrity and availability of PHI. Action has now been taken to mitigate risks and University of Iowa Health Care has strengthened training and its information oversight efforts to prevent future security incidents. The enhanced security measures include tightening the process for the development and management of custom databases, further education for employees on how and when to use authorized tools that store and move data sets and the provision of additional training on data privacy for individuals who develop applications.

Moore said, “UI Health Care values patient privacy and deeply regrets any inconvenience this may have caused patients and their families.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On