Emory Healthcare (EHC) has found that an ex-employee got the PHI of many thousand EHC patients as well as transferred the files to an MS Office 365 OneDrive account, where it might possibly be accessed by other individuals.
The ex-employee was a doctor at EHC, who is now employed at the University of Arizona College of Medicine. EHC states patient information was acquired without approval and without its information. EHC was warned to the event by the University of Arizona and got a listing of impacted people on October 18, 2017.
The OneDrive account might only be retrieved by the doctor, other former EHC doctors now at UA, UA workforce who probed the event, and possibly a few of other UA employees who had a particular kind of UA electronic mail account. PHI wasn’t revealed on the net and no other people are thought to have been capable to see the data.
UA employed a third-party forensic group to carry out an inquiry, even though no proof was found to propose patient information was retrieved or utilized in any way. UA has verified that all EHC patient info has been securely and permanently erased from its systems and the account.
EHC states no credit card information, driver’s license numbers, phone numbers, addresses, financial information, or Social Security numbers, was exposed. The information transferred to that account was restricted to names, provider names, dates of service at EHC, treatment locations, treatment information, medical record numbers, diagnoses, and in a few instances, dates of birth. The info was mainly limited to sick persons who had gotten radiology facilities at EHC from 2004 to 2014.
EHC is now alerting patients by post that their PHI has been revealed, and possibly released. EHC has gotten no reports to indicate any of the info has been abused; nevertheless, as a safety measure, patients have been instructed to remain alert and to take measures to safeguard themselves versus possible fake usage of their info.
EHC is now taking measures to avoid events like this from happening in the time to come, including increasing its patient care team training programs and revising as well as improving safety measures.
The breach report presented to the Division of Health and Human Services’ OCR suggests 24,000 patients have been affected by the breach.