UAMS officials say patients affected were interventional radiology patients seen at UAMS during 2009, 2010 and 2011.
The breach happened when a document sent to an individual outside of UAMS for analysis of billing charges was not properly de-identified.
A UAMS physician sent financial data to an individual who was not a member of UAMS's workforce in mid-February 2012, with the intention of removing all patient identifiers. On April 6, UAMS discovered that the data did in fact contain identifiers, including patient names, UAMS account numbers, dates of service, interventional radiology procedures, diagnosis codes, and charges and payments, for about 7,000 patients.
No credit card, debit card, bank account or Social Security numbers were included in the information.
The UAMS HIPAA Office investigates all potential breaches of protected health information.
UAMS contacted the recipient of the data, and was assured that he had not disclosed the information to anyone else and that he did not look at or use patient names when he worked on his financial analysis. UAMS did discover that the data was transmitted via a web-based email service, which our IT Security Officer has determined to be a moderate risk. UAMS IT Security worked with the recipient to ensure that the information was permanently destroyed and no longer at risk. The UAMS employee who failed to properly de-identify the data has been placed in the disciplinary process for violating UAMS policies. UAMS also is conducting additional training of its workforce and evaluating its policies to prevent an incident like this from recurring.
"UAMS takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening" said Vera Chenault, UAMS privacy officer. "We want patients to know what steps to take to protect themselves in the event that their information might have been included."
UAMS has set up a toll-free telephone number for individuals to call for more information. Any interventional radiology patients who were seen at UAMS during 2009, 2010 or 2011 who believe their personal information might have been compromised in this incident should call 877-615-3745 if they have questions or concerns. UAMS says letters have been mailed to affected individuals.