UT Southwestern Medical Center Data Breach Affects 43,000 Patients
UT Southwestern Medical Center (UTSW) in Texas has recently reported an email-related unauthorized access/disclosure incident to the HHS’ Office for Civil Rights (OCR) involving the protected health information of up to 43,048 patients.
The substitute breach notice on its website explains that UTSW was made aware of the privacy incident on October 10, 2024. Members of the workforce were using a third-party calendar management tool which inadvertently allowed the vendor to access certain calendars and, in some cases, the calendars included patients’ protected health information.
The investigation revealed employees had added patient data to the third-party tool which included names, dates of birth, medical record numbers, phone numbers, date(s) of planned services, medical diagnoses, lab test results, medication information, insurance benefits information, and, for certain patients, partial social security numbers.
The breach notice does not state for how long the calendar tool was used by employees, whether UT Southwestern Medical Center had expressly permitted employees to use the tool, or whether they were allowed to enter patients’ protected health information into the tool.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under HIPAA, if a third-party tool is used in connection with electronic protected health information (ePHI), a business associate agreement must be obtained from the vendor. That appears not to be the case, as if a business associate agreement was in place, there would presumably not have been a reportable breach.
UTSW said it is unaware of any misuse of patient data as a result of this incident and notifications will be mailed to the affected individuals. UTSW said it has “implemented robust processes to limit the amount of information shared with third-party vendors and will continue monitoring for sensitive data leaving its network and systems.”
It has not been a good year for UTSW as far as data breaches are concerned. This is the third breach to be reported to OCR by UTSW this year, and the 6th data breach since 2020. In September, the ePHI of 778 individuals in its electronic medical record system was impermissibly accessed by an unauthorized individual, and in March, unapproved software was used internally which allowed unauthorized individuals to access the records of 1,956 patients.
The other three breaches were a hacking incident involving unauthorized access to the ePHI of 98,437 patients in May 2023. The Clop Group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. Prior to that, UTSW reported two unauthorized disclosure incidents, one in 2021 (3,640 records) and another in 2020 (15,535 records).
Georgia Department of Public Health
The Georgia Department of Public Health (DPH) has recently notified OCR about an email breach affecting at least 500 individuals – a commonly used placeholder figure when the number of affected individuals has yet to be determined.
The substitute breach notice on the DPH website does not indicate when the breach was detected or for how long there was unauthorized access to email accounts. An email service provider contracted by the Georgia Technology Authority discovered unauthorized access to the email accounts of certain DPH employees and secured the accounts. The review has recently been completed and DPH is currently locating up-to-date contact information to allow individual notifications to be mailed.
The data potentially compromised in the breach varies from individual to individual and may include names along with one or more of the following: Social Security number, financial account information, driver’s license information, date of birth, and medical information, including medical record number, diagnosis information, treatment information, and physician information.
DPH was unable to confirm if patient data had been viewed or acquired and is unaware of any misuse of the affected data.
Hardin County Emergency Medical Services
Hardin County Emergency Medical Services in Kentucky has discovered unauthorized access to an employee’s email account. The email account breach was identified on September 26, 2024, when the account was used to send spam emails. The account was disabled, and a third-party digital forensics firm was engaged to investigate and determine the scope of the unauthorized access.
The investigation confirmed the breach was limited to a single email account, with the first unauthorized access occurring on July 1, 2024. Thereafter, the account was intermittently accessed between August 1, 2024, and September 26, 2024, during which time the contents of the mailbox were downloaded. Emails and attachments were reviewed and on November 15, 2024, Hardin County EMS confirmed that the ePHI of 1,046 patients was contained in the account.
Information stolen in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnoses/conditions, treatment information, healthcare provider names, dates/locations of service, case identification numbers/ unique identifiers, insurance identification numbers, and insurance/billing information.
Hardin County EMS has enhanced password complexity requirements, strengthened procedures for accessing employee email accounts, reduced the amount of information stored in email accounts, and provided additional cybersecurity training to the employee.
