UMC Southwest Gastroenterology patient data compromised due to an unsecured network

• The compromised patient data includes names, email addresses, phone numbers, residential addresses, medical record numbers, dates of birth, dates of services, health insurance carrier, as well as medical information such as diagnosis and treatment.
• The healthcare firm is educating its employees on approved cloud storage in order to avoid such incidents from happening in the future.

What happened?

On March 12, 2019, UMC physicians discovered that two employees have created a Google shared drive each to track follow-up tasks related to patient care such as lab results, appointments, procedures, and therapies.

Furthermore, one employee has forwarded emails to an unsecured Google Gmail account. This has led to the compromise of patients’ PHI (Protected health information).

What data was involved?

The files in the unsecured Google shared drive contained patients’ data including names, email addresses, phone numbers, residential addresses, medical record numbers, dates of birth, dates of services, health insurance carrier, as well as medical information such as diagnosis and treatment. However, no financial information has been compromised.

What were the preventive measures taken?

• Upon learning the incident, UMC retrieved and/or deleted the affected files.
• UMC then conducted an investigation on the incident to determine the impact of the compromised information.
• The healthcare firm is educating its employees on approved cloud storage in order to avoid such incidents from happening in the future.
• It is further planning to implement other security solutions to prevent the use of unapproved cloud storage solutions.

“Although the two providers intended to ensure good patient care by taking these actions, the security of patients’ protected health information (“PHI”) was compromised by storing it on an unsecured network,” UMC said in a security notice.