Posted 11/26/2012 01:02 pm
Updated 6 months ago
The University of Arkansas for Medical Sciences said Monday that it is notifying about 1,500 patients of a medical records breach involving a resident physician who was terminated in 2010.
UAMS said that former resident Nasrin Fatemi "kept some patient lists and notes regarding patients in violation of UAMS policy after leaving UAMS on June 3, 2010." UAMS said its HIPAA office discovered the breach on Oct. 9.
UAMS said Fatemi's documents were from January 2010 to June 2010 and "contained patient names, partial addresses, medical record numbers, dates of birth, ages, locations of care, dates of service, diagnoses, medications, surgical and other procedure names, and lab results."
No social security, bank account, or credit card numbers were included, UAMS said.
UAMS said it is notifying affected patients by mail and through its website.
"UAMS takes the privacy and security of its patients’ health information very seriously," it said in a statement.
UAMS said patients who believe their information might have been included in the breach and have questions can go to UAMSHealth.com/breach or call (888) 729-2755.
The UAMS HIPAA office learned of the documents when Fatemi produced them during her lawsuit against UAMS over her termination from the residency program.
On Nov. 7, UAMS became aware that additional documents Fatemi kept had been provided to UAMS attorneys on June 25.
"The records are now protected by a court order, which prevents them from becoming a public record and will prevent anyone from further using or disclosing the documents," UAMS said.
Fatemi "also assured UAMS under oath that she did not share the documents with anyone except her attorneys with whom she has a Business Associate Agreement that specifically protects this information," UAMS said.
In 2011, Fatemi sued UAMS in U.S. District Court in
She said in the lawsuit that she wasn't given the same opportunities to learn and perform surgeries as the male residents were.
Fatemi complained, and said she was eventually fired from the program in June 2010, less than six months after she began. She is seeking an unspecified amount of money for damages.
UAMS denied the allegations of wrongdoing in its court filing.
In April, UAMS reported a breach of information that exposed data on 7,000 patients. It placed an employee in a disciplinary process for violating its policies. The data, transmitted via a web-based email service, did not contain credit card, debit card, bank account or Social Security numbers.
At the time, UAMS said its security department had worked to make sure the data was permanently destroyed and "no longer at risk."