University of Iowa Health Care notifies 5,292 patients about files exposed online for two years

Public Notice – Patient Information Improperly Disclosed at University of Iowa Health Care

On April 29, 2017, University of Iowa Health Care (UIHC) discovered that, in May 2015, a
limited set of data containing protected health information of approximately 5,300 patients at University of Iowa Hospitals & Clinics was inadvertently saved in unencrypted files that were posted online through an application development site. Upon learning of this incident, UIHC acted immediately and deleted the files on May 1, 2017. UIHC’s investigation revealed that the information in the electronic files included patient name, date of admission, and medical record number. The files did not contain clinical information (for example, diagnosis information), social security numbers, or credit card and other financial information.

UIHC has sent letters to all impacted individuals for whom we have valid addresses by U.S.
postal mail. To learn whether your information was included in the breach or to ask questions, please call toll free at 800-654-5672, or email [email protected]

UIHC has no information indicating that information in the electronic files was misused or
further disclosed. While the information included in the files was very limited, we are advising individuals of steps to help prevent and detect misuse of the information. As a general matter, we recommend the following actions as good practices if you are concerned about misuse of your information:

Closely monitor any “Explanation of Benefits” or “EOB” sent by your insurance company or other entity that pays your medical bills.. If you see any suspicious activity on the EOBs or anywhere else, please report the suspicious information or error to your insurance company, health care provider or UIHC.

UIHC understands the serious nature of any potential breach – no matter how limited – so it has conducted a thorough investigation, identified and mitigated the risks, and strengthened its training and information oversight efforts to prevent a similar occurrence. UIHC values patient privacy and deeply regrets any inconvenience this may have caused UIHC patients and their families.

About the author: Dissent