The University of Iowa Health Care (UIHC) has notified thousands of patients of a data breach that exposed their personal and medical information.
On 22 June, UIHC sent out notification letters to 5,300 patients affected by the data breach. The University explains in these letters that it has not found any evidence suggesting bad actors misused patients’ information. It also reveals that the security event didn’t affect certain bits of data like diagnoses, Social Security Numbers, and credit card information.
UIHC has issued a privacy notice about the event here.
The data breach reportedly stretches back to May 2015. At that time, someone at UIHC is believed to have saved patients information including their names, dates of admission, and medical record numbers in unencrypted files posted to an application development website. Web developers and others routinely use that file-sharing site.
A security expert discovered the disclosure and notified the University of Iowa Health Care on 29 April 2017. UIHC spokesman Tom Moore tells The Gazette that the teaching hospital sprang into action:
“As soon as we found out the files could be seen by nonusers, we moved to take them down. On May 1, they were no longer posted on the web.”
In 2016, U.S. healthcare organizations reported 328 data breaches. Those incidents dwarfed in number the 268 security events reported in 2015. Collectively, they exposed a total 16.6 million Americans’ information.
Going forward, the University of Iowa Health Care recommends that affected patients closely monitor “explanation of benefits” forms received from insurance providers. Patients should report any suspicious activity to their insurer, health care provider, or UIHC.
The teaching hospital intends to stay busy in the meantime. Here’s Moore again:
“We understand the serious nature of any potential breach — no matter how limited. To make sure that something like this doesn’t happen again, we conducted a full investigation and strengthened our training and oversight efforts to prevent a similar occurrence.”
Those new efforts include employee training on data privacy when it comes to storing patients’ information and building secure databases.
Affected patients who want to learn more about the data breach can call 1-800-654-5672 toll free or email email@example.com.