UMC Physicians (UMCP) is educating employees on approved cloud storage solutions and notifying patients of an incident that may have compromised the privacy of protected health information held by their clinic: UMC Southwest Gastroenterology.
UMCP has no evidence of actual or attempted misuse of personal information at this time.
On March 12, 2019, UMCP discovered that two employed providers had each established a Google shared drive to track follow-up tasks related to patient care, such as: lab results, appointments, procedures, and therapies. One employee was forwarding emails to an unsecured Google Gmail account. UMCP immediately retrieved and/or deleted the affected files and simultaneously started an investigation to determine the scope of the information disclosed and to identify the affected patients.
Although the two providers intended to ensure good patient care by taking these actions, the security of patients’ protected health information (“PHI”) was compromised by storing it on an unsecured network. The PHI in some files included only a patient name and email address. However, some files contained some or all of the following: name, address, phone number, medical record number, date of birth, date of service, health insurance carrier, diagnosis, and/or procedure. No financial information, such as social security numbers, insurance policy numbers, or credit card information, was involved.
All employees are receiving education on approved cloud storage so that an incident like this one does not occur again. UMCP will implement other solutions to prevent the use of unapproved cloud storage solutions.
UMC and UMCP understand this incident may create worry and inconvenience for patients, and the health system sincerely apologizes and regrets that this incident has occurred.