The University of Arkansas for Medical Sciences (UAMS) has discovered a breach of patient information, which resulted when a document sent to an individual outside of UAMS for analysis of billing charges was not properly de-identified.
The UAMS HIPAA Office investigates all potential breaches of protected health information, the Little Rock-based organization stated. A UAMS physician sent financial data to an individual who was not a member of UAMS’s workforce in mid-February, with the intention of removing all patient identifiers.
On April 6, UAMS discovered that the data contained identifiers, including patient names, UAMS account numbers, dates of service, interventional radiology procedures, diagnosis codes, and charges and payments, for approximately 7,000 patients. Patients affected were interventional radiology patients seen at UAMS during 2009, 2010 and 2011.
No credit card, debit card, bank account or Social Security numbers were included in this information.
The provider said it contacted the recipient of the data, and was assured he had not disclosed the information to anyone else and he did not look at or use patient names when he worked on his financial analysis. However, UAMS discovered that the data were transmitted via a web-based email service, which its IT security officer has determined to be a moderate risk.
UAMS IT security worked with the recipient to ensure the information was permanently destroyed and no longer at risk. The employee who failed to properly de-identify the data has been placed in the disciplinary process for violating UAMS policies. The provider also is conducting additional training of its workforce and evaluating its policies.