UMC Physicians are sending breach notifications to patients of UMC Southwest Gastroenterology following the discovery that two of employed providers erroneously uploaded patient data to an unsecured cloud service.
UMC Physicians, based in Lubbock, Texas, stated that the breach was caused by an error in judgement of the two providers. Each provider had each set up a Google shared drive, which was used to track follow-up tasks related to the provision of care to patients to improve patient care experiences. However, the providers used an unapproved cloud storage solution, resulting in patient data was inadvertently stored on an unsecured network. This mistake increased the risk of unauthorized individuals accessing the data, thereby placing patients at risk of identity fraud.
Storing the data on an unsecured network was also a violation of UMC Physicians’s policies and procedures.
UMC Physicians discovered the breach on March 12, 2019. The organization launched an investigation to determine which patients’ protected health information had been exposed. UMC Physicians subsequently discovered that one of the providers had also been forwarding emails containing patient information to an unsecured Gmail account.
The types of information that had been stored on the unsecured network and emailed to the Gmail account included names, addresses, telephone numbers, medical record numbers, dates of birth, dates of service, health insurance carriers, diagnoses, and medical procedures performed. The breach of PHI did not expose highly sensitive information such as Social Security numbers, insurance policy numbers, and financial information.
In response to the discovery, UMC Physicians has provided additional training to employees on the use of approved cloud storage solutions. Technical controls will be implemented to prevent unauthorized cloud storage solutions from being used in the future.
UMC’s investigators have not discovered any evidence to suggest patient information has been accessed by unauthorized individuals nor have any reports been received to indicate there has been a misuse of patient information.
Following HIPAA’s Breach Notification Rule, UMC has sent breach notification letters to all affected patients. UMC has also established a toll-free number for patients to find more information about the breach.
This breach highlights the need for HIPAA-covered entities to understand the security issues surrounding the use of third-party cloud service providers. These services can be used in a HIPAA-compliant manner, but require CEs to configure them correctly and to implement safeguards to ensure that PHI remains secure.
It is currently unclear exactly how many patients have been affected.