HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years

University of Iowa Health Care has discovered patient information has been accidentally exposed on the Internet for a period of around 2 years. The exposed data was limited and did not include any clinical data, financial information or Social Security numbers, only patients’ names, admission dates and medical record numbers. 5,292 patients of University of Iowa Hospitals and Clinics have been impacted by the incident.

The data were saved in unencrypted files which were inadvertently posted online via an application development website. The data were accessible via the Internet since May 2015, with the error discovered on April 29, 2017. UIHC spokesperson Tom Moore said the tip off came from “An individual who is an expert on online security.” The tip off prompted an immediate and thorough investigation. University of Iowa Health Care acted quickly to mitigate risk, with the files deleted from the website on May 1, 2017.

The investigation did not uncover any evidence to suggest any information was misused, and while the exposed data were extremely limited, University of Iowa Health Care has advised all affected individuals to follow good practices and monitor for any data misuse including checking Explanation of Benefits statements from health insurers for signs of suspicious activity. All affected individuals have now been notified of the security incident by mail, with the breach notification letters sent on June 22. It would not appear that any information was copied. Moore said “To our knowledge, the files had limited views.”

The data breach prompted University of Iowa Health Care to conduct a thorough risk assessment to identify vulnerabilities that could threaten the confidentiality, integrity and availability of PHI. Action has now been taken to mitigate risks and University of Iowa Health Care has strengthened training and its information oversight efforts to prevent future security incidents. The enhanced security measures include tightening the process for the development and management of custom databases, further education for employees on how and when to use authorized tools that store and move data sets and the provision of additional training on data privacy for individuals who develop applications.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Moore said, “UI Health Care values patient privacy and deeply regrets any inconvenience this may have caused patients and their families.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.