University of Iowa Health Care warns thousands of patient data breach

No clinical information, social security numbers, or financial information disclosed

  • Photo

IOWA CITY — University of Iowa Health Care has notified 5,300 patients that a “limited set of data containing protected health information” was posted online for two years.

Back in May 2015, the private health information — including patient names, dates of admission, and medical record numbers — was inadvertently saved in unencrypted files and posted online through an application development site that others could see, according to UIHC.

Web developers routinely use the file-sharing site, according to UIHC spokesman Tom Moore, but information on them “should always be coded so that it remains private.”

“An employee used this open source programming tool as part of an application development for UI Health Care operations,” Moore said. “The files were not made private and were left on the site after the work was completed.”

An expert in online security discovered the disclosure April 29 and reported it to a UI Health Care privacy officer.

“As soon as we found out the files could be seen by nonusers, we moved to take them down,” Moore said. “On May 1, they were no longer posted on the web.”

The discovery prompted UIHC on June 22 to send letters to all affected patients.

The patient information posted online did not include clinical information like diagnoses, social security numbers, or financial information like credit card numbers, according to Moore. The university has no indication the disclosed information was misused, but it still is advising those affected to take steps to prevent and detect potential misuse of the information.

For example, the university recommends patients closely monitor “explanation of benefits” forms from insurance companies that cover medical costs, according to Moore. Suspicious activity should be reported to the insurer, health care provider, or UIHC.

“We understand the serious nature of any potential breach — no matter how limited,” according to the letters sent to affected patients. “To make sure that something like this doesn’t happen again, we conducted a full investigation and strengthened our training and oversight efforts to prevent a similar occurrence.”

Such efforts included tightening the process for development and management of custom databases; educating staff and students about how and when to use tools designed to store and move sensitive data; and enhancing employee training on data privacy for everyone who develops applications, according to Moore.

“We are committed to your health and to protecting your personal information,” according to the letters. “We sincerely regret and apologize this happened.”

The issue of patient data privacy has changed in recent years — and become increasingly relevant — as many institutions like UI Hospitals and Clinics have transitioned to electronic medical records. Global ransomware attacks this year have affected hospitals around the world.

Last year, Mercy Iowa City notified thousands of patients that a computer virus designed to capture personal data infected its computers — potentially disclosing personal patient information like diagnoses, treatment, and medications; insurance information and policy numbers; and — in some cases — social security numbers.

Mercy officials at the time stressed they had no evidence any data was collected or misused.

UIHC patients wanting to learn more about the recent breach can call toll free at 1-800-654-5672 or email compliance@uiowa.edu.

l Comments: (319) 339-3158; vanessa.miller@thegazette.com

Like what you're reading?

We make it easy to stay connected:

to our email newsletters
Download our free apps

Give us feedback

Have you found an error or omission in our reporting? Tell us here.
Do you have a story idea we should look into? Tell us here.