UAMS Error Exposes Data on 7,000 Patients

The University of Arkansas for Medical Sciences said Friday that is had discovered a breach of patient information that exposed data on 7,000 patients. It said it has placed an employee in a disciplinary process for violating its policies.

UAMS said in a news release that the data, transmitted via a web-based email service, did not contain credit card, debit card, bank account or Social Security numbers. It said its security department has worked to make sure the data was permanently destroyed and "no longer at risk."

"UAMS takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening" Vera Chenault, UAMS privacy officer, said. "We want patients to know what steps to take to protect themselves in the event that their information might have been included."

People whose data was exposed were interventional radiology patients seen at UAMS during 2009, 2010 and 2011. UAMS set up a toll free number, (877) 615-3745, for patients to call to determine if their information was included in the breach.

UAMS also sent letters to affected patients. 

UAMS said the breach occurred in February, when an UAMS physician sent financial data "to an individual outside of UAMS for analysis of billing charges." The information, UAMS said, was "not properly de-identified."

UAMS did not identify the physician who sent the data or the person who received it.

On April 6, UAMS discovered that the data contained "patient names, UAMS account numbers, dates of service, interventional radiology procedures, diagnosis codes, and charges and payments."

UAMS said it contacted the recipient of the data, who assured UAMS that "he had not disclosed the information to anyone else and that he did not look at or use patient names when he worked on his financial analysis."

"The UAMS employee who failed to properly de-identify the data has been placed in the disciplinary process for violating UAMS policies," the medical center said in a news release. "UAMS also is conducting additional training of its workforce and evaluating its policies to prevent an incident like this from recurring."