PHI Breach at UAB Medicine Leaves 652 Potentially Exposed

In Birmingham, Alabama, the UAB Medicine Viral Hepatitis Clinic has discovered a breach of patients’ protected health information (PHI) that could have affected up to 652 patients.

The group, UAB Medicine, uses flash drives to transfer information from its Fibroscan machine to a computer. Two flash drives were identified discovered as missing on October 25, 2017. The portable storage devices were used to hold a limited amount of PHI in relation to the 652 patients concerned.

Information stored on these particular devices included first and last names, gender, birth dates, images and numbers corresponding to test results, medical diagnosis, names of referring doctors, and the dates and times of appointments.

In a release,  UAB Medicine has confirmed that no Social Security credentials, financial information, insurance information, addresses, or contact phone numbers were stored on the flash drives in question.

A detailed search of Viral Hepatitis Clinic was held, but the flash drives could not be found. The investigation into the PHI breach at UAB is continuing. It is not known whether the flash drives were disposed in error, lost within the facility or if they were stolen. UAB Medicine therefore cannot definitively say whether the PHI on the devices has been seen or used by unauthorized individuals.

The breach of PHI has lead to UAB Medicine overhauling its policies and procedures and measures have been adapted to prevent similar incidents from occurring in the future. All of those patients affected by the incident were made aware of the PHI breach by mail.

As it was only a limited type of data exposed, patients are not believed to face a serious risk of identity theft or fraud occurring. As a precautionary measure, patients have been advised to be diligent in reviewing their credit reports for any sign of fraudulent transactions.

As the potential for unauthorized access of PHI cannot be ruled out, UAB Medicine is also providing patients affected by the incident one year month of credit monitoring and reporting services.

Author: Security News