UAMS Investigating Breach of Information

April 20, 2012 | LITTLE ROCK – The University of Arkansas for Medical Sciences (UAMS) has discovered a breach of patient information, which resulted when a document sent to an individual outside of UAMS for analysis of billing charges was not properly de-identified.

The UAMS HIPAA Office investigates all potential breaches of protected health information. A UAMS physician sent financial data to an individual who was not a member of UAMS’s workforce in mid-February 2012, with the intention of removing all patient identifiers. On April 6, UAMS discovered that the data did in fact contain identifiers, including patient names, UAMS account numbers, dates of service, interventional radiology procedures, diagnosis codes, and charges and payments, for approximately 7,000 patients. Patients affected were interventional radiology patients seen at UAMS during 2009, 2010 and 2011.

No credit card, debit card, bank account or Social Security numbers were included in this information.

UAMS contacted the recipient of the data, and was assured that he had not disclosed the information to anyone else and that he did not look at or use patient names when he worked on his financial analysis. UAMS did discover that the data was transmitted via a web-based email service, which our IT Security Officer has determined to be a moderate risk. UAMS IT Security worked with the recipient to ensure that the information was permanently destroyed and no longer at risk. The UAMS employee who failed to properly de-identify the data has been placed in the disciplinary process for violating UAMS policies. UAMS also is conducting additional training of its workforce and evaluating its policies to prevent an incident like this from recurring.

“UAMS takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening” said Vera Chenault, UAMS privacy officer. “We want patients to know what steps to take to protect themselves in the event that their information might have been included.”

UAMS has set up a toll-free telephone number for individuals to call for more information. Any interventional radiology patients who were seen at UAMS during 2009, 2010 or 2011 who believe their personal information might have been compromised in this incident should call 877-615-3745 if they have questions or concerns. Letters have been mailed to affected individuals.

UAMS is the state’s only comprehensive academic health center, with colleges of Medicine, Nursing, Pharmacy, Health Related Professions and Public Health; a graduate school; a hospital; a statewide network of regional centers; and seven institutes: the Winthrop P. Rockefeller Cancer Institute, the Jackson T. Stephens Spine & Neurosciences Institute, the Myeloma Institute for Research and Therapy, the Harvey & Bernice Jones Eye Institute, the Psychiatric Research Institute, the Donald W. Reynolds Institute on Aging and the Translational Research Institute. Named best Little Rock metropolitan area hospital by U.S. News & World Report, it is the only adult Level 1 trauma center in the state. UAMS has more than 2,800 students and 775 medical residents. It is the state’s largest public employer with more than 10,000 employees, including about 1,000 physicians and other professionals who provide care to patients at UAMS, Arkansas Children’s Hospital, the VA Medical Center and UAMS’ Area Health Education Centers throughout the state. Visit www.uams.edu or uamshealth.com.