UAMS Notifies Patients of Personal Information Breach

By Yavonda Chase

On Nov. 29, 2021, UAMS became aware that a former employee sent emails from her UAMS email to her personal Gmail account with patient information attached on November 15, 2021, while still employed with UAMS. The attachments consisted of Excel spreadsheets used for internal billing compliance auditing purposes and/or billing statements addressed to UAMS for reimbursement. The information included the names of 518 patients, their hospital account numbers, dates of service, insurance type, claim information for billing purposes and medical record numbers. For a handful of patients, their dates of birth and medication information were also included. The former employee, who voluntarily left UAMS, contends it was a mistake.

No credit card, debit card, bank account, address, driver’s license or Social Security numbers were included in this information. The attachments did not include any clinical documents or medical records, such as progress notes by physicians, nurses or other health care providers, medical history or lab results.

UAMS is notifying affected patients by mail and through its website.

“UAMS takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening,” said Heather Schmiegelow, J.D., UAMS HIPAA privacy officer.

Immediately upon discovering the incident, UAMS filed a police report with the UAMS Police Department. The UAMS Vice Chancellor of Compliance contacted the former employee about the seriousness of the matter. The former employee explained that it was a mistake. She further explained in writing that it was an unintentional error on her part, and she did not retain or share any of the information.

UAMS has policies and procedures to safeguard and protect the privacy and security of patients’ health information, and all employees are trained on these policies and procedures. Every year, all employees are required to complete annual HIPAA training.  UAMS HIPAA training includes topics such as employees using and accessing patients’ health information for legitimate, authorized purposes needed to perform their job duties.  It also addresses using secure and encrypted email and not using employees’ personal email to send and receive health information of UAMS patients.

If UAMS patients have questions or concerns, they may contact the UAMS HIPAA Office by email at hipaa@uams.edu, by phone at 501-603-1379 or toll free at 1-888-729-2755. They may also call the UAMS Compliance Hotline at 1-888-511-3969 after-hours and on holidays.

UAMS is the state's only health sciences university, with colleges of Medicine, Nursing, Pharmacy, Health Professions and Public Health; a graduate school; a hospital; a main campus in Little Rock; a Northwest Arkansas regional campus in Fayetteville; a statewide network of regional campuses; and seven institutes: the Winthrop P. Rockefeller Cancer Institute, Jackson T. Stephens Spine & Neurosciences Institute, Harvey & Bernice Jones Eye Institute, Psychiatric Research Institute, Donald W. Reynolds Institute on Aging, Translational Research Institute and Institute for Digital Health & Innovation. UAMS includes UAMS Health, a statewide health system that encompasses all of UAMS' clinical enterprise. UAMS is the only adult Level 1 trauma center in the state. UAMS has 3,047 students, 873 medical residents and fellows, and six dental residents. It is the state's largest public employer with more than 11,000 employees, including 1,200 physicians who provide care to patients at UAMS, its regional campuses, Arkansas Children's, the VA Medical Center and Baptist Health. Visit www.uams.edu or uamshealth.com. Find us on Facebook, Twitter, YouTube or Instagram.

###