Two University of Florida breaches in 2013 that I seem to have missed
Just stumbled across these while searching for something else and I don’t recall ever seeing them before – from UF’s web site:
UF Beaches Women’s Health Specialists Lab Tests Inadvertently Sent to Baptist Medical Center
Published: July 15th, 2013
The University of Florida (UF) is notifying 142 patients of the University of Florida Beaches Women’s Health Specialists seen by Kristin Caldow, M.D. that had sexually transmitted disease (STD) testing performed from August 2012 to June 2013. Due to an administrative error, lab test results for patients of Dr. Caldow were sent to Baptist Medical Center Beaches in Jacksonville. Baptist Medical Center Beaches retained the lab test results in anticipation of these patients becoming patients of Baptist. After receiving lab test results for several months for patients who did not become patients of Baptist, in June 2013, Baptist notified the UF Beaches Women’s Health Specialists of its receipt of these lab test results. In response, an employee of UF Beaches Women’s Health Specialists went to Baptist and collected all copies of the lab test results of patients that were mistakenly sent to Baptist and returned them to UF Beaches Women’s Health Specialists. UF also instructed the outside lab to cease sending lab test results of Dr. Caldow’s patients to Baptist. The lab results sent to Baptist also included patients names, addresses, home phone numbers, dates of birth, the last four numbers of their social security number, test results, and ordering physician information for Dr. Caldow.
UF Department of Medicine Clinic Unauthorized Patient Record Access
Published: March 7th, 2013
JACKSONVILLE, Fla. — The University of Florida is notifying 151 patients that their personal and medical information was inappropriately accessed by an employee of the UF Department of Medicine Clinic at Emerson in Jacksonville. An employee was found to have accessed the accounts of 151 patients in a UF electronic medical record system. The employee did not have a legitimate business reason to access these patient accounts. 30 of the accounts accessed by this employee were of her co-workers and other UF employees who were patients of UF physicians. The employee had access to the electronic medical record system in furtherance of her job duties as a medical assistant. Once in a patient’s account in the electronic medical record system the employee was able to view patient name and date of birth, demographic information such as address, the patient’s social security number and medical information concerning the patient.
Florida law requires that patients be notified when their social security number is accessed by unauthorized parties without a legitimate business need or patient consent.
It is unclear why the employee viewed the patient information of these 151 patients, however, it is suspected that the employee may have known these individuals personally, and they may be friends, family or acquaintances of the employee. We do know that 30 of the patients whose accounts she accessed were co-workers and UF employees.
The employee was hired as a part time employee in November of 2102 and became a full-time employee in December of 2012. The inappropriate access was first reported to the UF Privacy Office on February 4, 2013 and after an investigation was conducted and the employee was interviewed, the employee’s employment was terminated on February 7, 2013.
The employee had completed 2 on-line UF privacy training courses and also attended a 30 minute live privacy session during new employee orientation. The employee knew or should have known that accessing the patient accounts without a legitimate business reason was in violation of UF policy.
The University of Florida has sent a letter notifying all of the patients whose information had been accessed by this employee. The UF privacy Office mailed the patient letters Thursday, March 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number 1-866-876-HIPA if they have questions.
UF had five breaches reported in 2013 (not all involved patient data), but three of the five involved insiders stealing or accessing patient data for malicious purposes like tax refund fraud schemes.
Because two of the breaches involved less than 500 patients, they did not appear on HHS’s public breach tool, but presumably were reported to HHS. So the question is…. what is HHS doing about all these breaches at UF? How many more breaches do they have to have before there’s enforcement action to get them to better prevent and/or detect problems?