It has been discovered that a former worker at Emory Healthcare (EHC) has obtained the protected health information of 24,000 EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, from where it was accessible by other people.
The former worker was a physician at Emory Healthcare, who is now a staff member at the University of Arizona (UA) College of Medicine. EHC says client information was taken covertly and without permission. EHC was advised of breach by the University of Arizona, and was sent a list of affected patients on October 18, 2017.
The OneDrive account that was used was only accessible by the physician, other former EHC physicians now working at UA, UA staff who looked into the incident, and possibly a small number of other UA workers who had a specific type of UA email account. PHI was not shared online and no other individuals are thought to have been able to access the details.
UA hired a third-party forensic company to carry out a review, although no details was uncovered to indicate patient information was shared or used in any manner. UA has stated that all EHC patient data has been permanently and safely taken down from the account and its systems.
EHC has revealed that no Social Security details, financial records, addresses, phone numbers, driver’s license data, or credit card information was accessed. The data shared to the account was kept to names, dates of service at EHC, provider identities, medical record files, diagnoses, treatment information, treatment centers, and in some cases, birth dates. The data was mainly kept to patients who had received radiology services at EHC from 2004-14.
EHC is now making contact with patients by post to advise them that their protected health information has been shared, and potentially seen. EHC has not been made aware of any proof to indicate any of the information has been improperly used; however, as a precautionary safeguard, patients have been told to remain cautious and to begin a process to safeguard themselves against potential fraudulent use of their information.
EHC is now adapting a policy to avoid incidents such as this from being experienced in the future, including enhancing its patient care team education programs and reviewing security measures.
The official breach report shared with the Department of Health and Human Services’ Office for Civil Rights shows 24,000 individuals have been impacted by the violation.