A former physician at the Emory Healthcare (EHC) took the protected health information of thousands of EHC patients without hospital authorization and knowledge. He uploaded the information to a Microsoft Office 365 OneDrive account, where other individuals could potentially access it. The former EMC physician now works at the University of Arizona (UA) College of Medicine. The University of Arizona alerted EHC to the incident. EHC got hold of the list of affected patients on October 18, 2017.
Only a few people had access to the OneDrive account including the physician, former EHC physicians currently working at UA, UA staff who investigated the breach, and some UA staff members that had a particular type of UA email account. It is believed that the PHI was not exposed online and no one else viewed the information. A third-party forensic team investigated the incident even though there’s no evidence to suggest patient data was viewed or used.
Data that was found to have been uploaded were of patients that received radiology services at EHC from 2004 to 2014. Data included names, dates of service at EHC, medical record numbers, provider names, diagnoses, treatment location, treatment information and dates of birth, in some cases. No financial information, Social Security numbers, credit card information, driver’s license numbers, or phone numbers was exposed. All EHC patient information had already been securely deleted from UA’s account and its systems.
EHC notified patients by mail of their PHI exposure and potential disclosure. No reports indicate any misuse of information but EHC advised patients to be vigilant and to careful against potential fraudulent use of their information.
EHC also took the necessary corrective action, such as evaluating and improving security measures, enhancing care provider education programs. These are aimed at preventing similar incidents from happening again. EHC submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that there were 24,000 patients affected by the breach.